diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000..9fb85ec49f --- /dev/null +++ b/.gitattributes @@ -0,0 +1,14 @@ +# Set the default behavior, in case people don't have core.autocrlf set. +* text=auto + +# Explicitly declare text files you want to always be normalized and converted +# to native line endings on checkout. +*.c text +*.h text + +# Declare files that will always have CRLF line endings on checkout. +*.sln text eol=crlf + +# Denote all files that are truly binary and should not be modified. +*.png binary +*.jpg binary \ No newline at end of file diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index f9d982e542..82a24ff791 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -34,6 +34,22 @@ "moniker_groups": [], "version": 0 }, + { + "docset_name": "eula-vsts", + "build_source_folder": "windows/eulas", + "build_output_subfolder": "eula-vsts", + "locale": "en-us", + "monikers": [], + "moniker_ranges": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes" + }, { "docset_name": "gdpr", "build_source_folder": "gdpr", @@ -508,14 +524,18 @@ "master": [ "Publish", "Pdf" + ], + "atp-api-danm": [ + "Publish", + "Pdf" ] }, "need_generate_pdf_url_template": true, - "need_generate_pdf": false, - "need_generate_intellisense": false, - "Targets": { + "targets": { "Pdf": { "template_folder": "_themes.pdf" } - } + }, + "need_generate_pdf": false, + "need_generate_intellisense": false } \ No newline at end of file diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bd9b057880..e8aa9bae33 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,36 @@ { "redirections": [ { +"source_path": "windows/application-management/msix-app-packaging-tool-walkthrough.md", +"redirect_url": "https://docs.microsoft.com/windows/msix/mpt-overview", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md", +"redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility", +"redirect_document_id": true +}, +{ +"source_path": "windows/deployment/update/windows-update-sources.md", +"redirect_url": "/windows/deployment/update/how-windows-update-works", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/hardware-and-software-requirements.md", +"redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/security-enhancements-microsoft-edge.md", +"redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp", +"redirect_document_id": true +}, +{ +"source_path": "browsers/edge/new-policies.md", +"redirect_url": "https://docs.microsoft.com/microsoft-edge/deploy/change-history-for-microsoft-edge", +"redirect_document_id": true +}, +{ "source_path": "windows/security/threat-protection/intelligence/av-tests.md", "redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests", "redirect_document_id": true @@ -27,12 +57,12 @@ }, { "source_path": "windows/deployment/update/waas-windows-insider-for-business-aad.md", -"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-add", +"redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-add", "redirect_document_id": true }, { "source_path": "windows/deployment/update/waas-windows-insider-for-business-faq.md", -"redirect_url": "https://docs.microsoft.com/en-us/windows-insider/at-work-pro/wip-4-biz-get-started", +"redirect_url": "https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started", "redirect_document_id": true }, { @@ -5321,6 +5351,11 @@ "redirect_document_id": true }, { +"source_path": "windows/client-management/mdm/policy-csp-location.md", +"redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider", +"redirect_document_id": false +}, +{ "source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md", "redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune", "redirect_document_id": false @@ -5386,11 +5421,36 @@ "redirect_document_id": true }, { +"source_path": "devices/surface/manage-surface-dock-firmware-updates.md", +"redirect_url": "devices/surface/update", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", "redirect_url": "/surface-hub/finishing-your-surface-hub-meeting", "redirect_document_id": true }, { +"source_path": "devices/hololens/hololens-microsoft-layout-app.md", +"redirect_url": "/hololens/hololens-microsoft-dynamics-365-layout-app", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-microsoft-dynamics-365-layout-app.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/layout/", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-microsoft-remote-assist-app.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/", +"redirect_document_id": true +}, +{ +"source_path": "devices/hololens/hololens-public-preview-apps.md", +"redirect_url": "https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps", +"redirect_document_id": true +}, +{ "source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", "redirect_url": "/surface-hub/provisioning-packages-for-surface-hub", "redirect_document_id": true @@ -6856,6 +6916,11 @@ "redirect_document_id": true }, { +"source_path": "windows/configuration/start-taskbar-lockscreen.md", +"redirect_url": "/windows/configuration/windows-10-start-layout-options-and-policies", +"redirect_document_id": true +}, +{ "source_path": "windows/configure/stop-employees-from-using-the-windows-store.md", "redirect_url": "/windows/configuration/stop-employees-from-using-the-windows-store", "redirect_document_id": true @@ -13757,7 +13822,7 @@ }, { "source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md", -"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803", +"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809", "redirect_document_id": true }, { @@ -13825,5 +13890,15 @@ "redirect_url": "/education/windows/autopilot-reset", "redirect_document_id": true }, +{ +"source_path": "windows/deployment/windows-autopilot/windows-10-autopilot.md", +"redirect_url": "/windows/deployment/windows-autopilot/windows-autopilot", +"redirect_document_id": true +}, +{ +"source_path": "windows/privacy/manage-windows-endpoints.md", +"redirect_url": "/windows/privacy/manage-windows-1809-endpoints", +"redirect_document_id": true +} ] } diff --git a/README.md b/README.md index 01059ee91d..824a7c6d56 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,3 @@ ## Microsoft Open Source Code of Conduct - This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. - -# Windows IT professional documentation - -Welcome! This repository houses the docs that are written for IT professionals for the following products: - -- [Windows 10](https://technet.microsoft.com/itpro/windows) -- [Internet Explorer 11](https://technet.microsoft.com/itpro/internet-explorer) -- [Microsoft Edge](https://technet.microsoft.com/itpro/microsoft-edge) -- [Surface](https://technet.microsoft.com/itpro/surface) -- [Surface Hub](https://technet.microsoft.com/itpro/surface-hub) -- [Windows 10 for Education](https://technet.microsoft.com/edu/windows) -- [HoloLens](https://technet.microsoft.com/itpro/hololens) -- [Microsoft Desktop Optimization Pack](https://technet.microsoft.com/itpro/mdop) - -## Contributing - -We actively merge contributions into this repository via [pull request](https://help.github.com/articles/using-pull-requests/) into the *master* branch. -If you are not a Microsoft employee, before you submit a pull request you must [sign a Contribution License Agreement](https://cla.microsoft.com/) to ensure that the community is free to use your submissions. -For more information on contributing, read our [contributions guide](CONTRIBUTING.md). - - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information, see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. \ No newline at end of file diff --git a/[!NOTE] b/[!NOTE] deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md index 15060d33b4..3314f77577 100644 --- a/browsers/edge/TOC.md +++ b/browsers/edge/TOC.md @@ -4,31 +4,28 @@ ## [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md) -## [(Preview) New Microsoft Edge Group Policies and MDM settings](new-policies.md) - -## [(Preview) Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) +## [Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md) ## [Group policies & configuration options](group-policies/index.yml) -### [All group policies](available-policies.md) -### [Address bar settings](group-policies/address-bar-settings-gp.md) -### [Adobe settings](group-policies/adobe-settings-gp.md) -### [Books Library management](group-policies/books-library-management-gp.md) -### [Browser settings management](group-policies/browser-settings-management-gp.md) -### [Developer settings](group-policies/developer-settings-gp.md) -### [Extensions management](group-policies/extensions-management-gp.md) -### [Favorites management](group-policies/favorites-management-gp.md) -### [Home button settings](group-policies/home-button-gp.md) -### [Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md) -### [New tab page settings](group-policies/new-tab-page-settings-gp.md) +### [Address bar](group-policies/address-bar-settings-gp.md) +### [Adobe Flash](group-policies/adobe-settings-gp.md) +### [Books Library](group-policies/books-library-management-gp.md) +### [Browser experience](group-policies/browser-settings-management-gp.md) +### [Developer tools](group-policies/developer-settings-gp.md) +### [Extensions](group-policies/extensions-management-gp.md) +### [Favorites](group-policies/favorites-management-gp.md) +### [Home button](group-policies/home-button-gp.md) +### [Interoperability and enterprise mode guidance](group-policies/interoperability-enterprise-guidance-gp.md) +### [Kiosk mode deployment in Microsoft Edge](microsoft-edge-kiosk-mode-deploy.md) +### [New Tab page](group-policies/new-tab-page-settings-gp.md) ### [Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md) ### [Search engine customization](group-policies/search-engine-customization-gp.md) -### [Security and privacy management](group-policies/security-privacy-management-gp.md) -### [Start pages settings](group-policies/start-pages-gp.md) -### [Sync browser settings](group-policies/sync-browser-settings-gp.md) +### [Security and privacy](group-policies/security-privacy-management-gp.md) +### [Start page](group-policies/start-pages-gp.md) +### [Sync browser](group-policies/sync-browser-settings-gp.md) ### [Telemetry and data collection](group-policies/telemetry-management-gp.md) - ## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md) ## [Microsoft Edge Frequently Asked Questions (FAQs)](microsoft-edge-faq.md) diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md index 60c5343bac..deef9f2c1a 100644 --- a/browsers/edge/about-microsoft-edge.md +++ b/browsers/edge/about-microsoft-edge.md @@ -5,10 +5,11 @@ ms.assetid: 70377735-b2f9-4b0b-9658-4cf7c1d745bb author: shortpatti ms.prod: edge ms.mktglfcycl: general +ms.topic: reference ms.sitesec: library title: Microsoft Edge for IT Pros ms.localizationpriority: medium -ms.date: 07/29/2018 +ms.date: 10/02/2018 --- # Microsoft Edge system and language requirements @@ -21,7 +22,6 @@ Microsoft Edge is the new, default web browser for Windows 10, helping you to e >The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. - ## Minimum system requirements Some of the components might also need additional system resources. Check the component's documentation for more information. @@ -36,13 +36,14 @@ Some of the components might also need additional system resources. Check the co | Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | | Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | | Peripherals | Internet connection and a compatible pointing device | - +---   ## Supported languages +Microsoft Edge supports all of the same languages as Windows 10 and you can use the [Microsoft Translator extension](https://www.microsoft.com/en-us/p/translator-for-microsoft-edge/9nblggh4n4n3) to translate foreign language web pages and text selections for 60+ languages. -Microsoft Edge supports all of the same languages as Windows 10, including: +If the extension does not work after install, restart Microsoft Edge. If the extension still does not work, provide feedback through the Feedback Hub. | Language | Country/Region | Code | diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md index f21ac4a827..e62e7d861d 100644 --- a/browsers/edge/available-policies.md +++ b/browsers/edge/available-policies.md @@ -1,39 +1,39 @@ --- -description: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. +description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165 author: shortpatti ms.author: pashort -manager: elizapo +manager: dougkim ms.prod: edge ms.mktglfcycl: explore +ms.topic: reference ms.sitesec: library title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 07/20/2018 +ms.date: 10/29/2018 --- # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge -> Applies to: Windows 10, Windows 10 Mobile +> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile -Set up a policy setting once and then copy that setting onto many computers. +You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain. +Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings. +**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_** + +      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* -Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences. +When you edit a Group Policy setting, you have the following configuration options: -By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that is linked to a domain, and then apply all of those settings to every computer in the domain. +- **Enabled** - writes the policy setting to the registry with a value that enables it. +- **Disabled** - writes the policy setting to the registry with a value that disables it. +- **Not configured** - leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users. -> [!NOTE] -> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). +Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL. - ->*You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:* -> ->      *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\* -

- ## Allow a shared books folder [!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)] @@ -61,15 +61,33 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Allow Extensions [!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)] +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] + ## Allow InPrivate browsing [!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)] ## Allow Microsoft Compatibility List [!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)] +## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed +[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] + +## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed +[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] + +## Allow printing +[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] + +## Allow Saving History +[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] + ## Allow search engine customization [!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)] +## Allow sideloading of Extensions +[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] + ## Allow web content on New Tab page [!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)] @@ -82,6 +100,9 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Configure Autofill [!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)] +## Configure collection of browsing data for Microsoft 365 Analytics +[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] + ## Configure cookies [!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)] @@ -91,6 +112,21 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Configure Favorites [!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)] +## Configure Favorites Bar +[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] + +## Configure Home Button +[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] + +## Configure kiosk mode +[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] + +## Configure kiosk reset after idle timeout +[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] + +## Configure Open Microsoft Edge With +[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] + ## Configure Password Manager [!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)] @@ -133,6 +169,9 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Prevent bypassing Windows Defender SmartScreen prompts for sites [!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)] +## Prevent certificate error overrides +[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] + ## Prevent changes to Favorites on Microsoft Edge [!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)] @@ -142,6 +181,12 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Prevent the First Run webpage from opening on Microsoft Edge [!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)] +## Prevent turning off required extensions +[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] + +## Prevent users from turning on browser syncing +[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] + ## Prevent using Localhost IP address for WebRTC [!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)] @@ -154,10 +199,23 @@ By using Group Policy and Intune, you can set up a policy setting once, and then ## Set default search engine [!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)] +## Set Home Button URL +[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] + +## Set New Tab page URL +[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] + ## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include.md](includes/show-message-opening-sites-ie-include.md)] +[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] + +## Unlock Home Button +[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] ## Related topics -* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885) +- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) +- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921) +- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922) +- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923) +- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924). \ No newline at end of file diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md index 2af18fcf6f..6d86a32508 100644 --- a/browsers/edge/change-history-for-microsoft-edge.md +++ b/browsers/edge/change-history-for-microsoft-edge.md @@ -1,19 +1,57 @@ --- title: Change history for Microsoft Edge (Microsoft Edge for IT Pros) -description: This topic lists new and updated topics in the Microsoft Edge documentation for Windows 10 and Windows 10 Mobile. +description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. ms.prod: edge +ms.topic: reference ms.mktglfcycl: explore ms.sitesec: library ms.localizationpriority: medium -ms.date: '' +manager: dougkim ms.author: pashort author: shortpatti +ms.date: 10/02/2018 --- # Change history for Microsoft Edge Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile. +# [2018](#tab/2018) + +## October 2018 + +The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable +full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions. + +We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead. + +>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +>> +>>      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + + + +| **New or updated** | **Group Policy** | **Description** | +|------------|-----------------|--------------------| +| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] | +| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] | +| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] | +| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] | +| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] | +| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] | +| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] | +| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] | +| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] | +| New | [Configure kiosk mode](available-policies.md#configure-kiosk-mode) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] | +| New | [Configure kiosk reset after idle timeout](available-policies.md#configure-kiosk-reset-after-idle-timeout) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] | +| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] | +| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] | +| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] | +| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] | +| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] | +| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] | +| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] | +| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] | # [2017](#tab/2017) @@ -59,4 +97,4 @@ Discover what's new and updated in the Microsoft Edge for both Windows 10 and Wi |----------------------|-------------| |[Available Policies for Microsoft Edge](available-policies.md) | Added new policies and the Supported versions column for Windows 10 Insider Preview. | ---- \ No newline at end of file +--- diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index b3be0aa999..42532b3fb2 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md index dbb4851e18..5fa2461985 100644 --- a/browsers/edge/emie-to-improve-compatibility.md +++ b/browsers/edge/emie-to-improve-compatibility.md @@ -3,98 +3,58 @@ description: If you're having problems with Microsoft Edge, this topic tells how ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4 author: shortpatti ms.author: pashort -ms.prod: edge +ms.manager: dougkim +ms.prod: browser-edge +ms.topic: reference ms.mktglfcycl: support ms.sitesec: library ms.pagetype: appcompat title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros) ms.localizationpriority: medium -ms.date: 04/15/2018 +ms.date: 10/24/2018 --- # Use Enterprise Mode to improve compatibility > Applies to: Windows 10 -If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. +If you have specific websites and apps that have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites open in Internet Explorer 11 automatically. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to automatically open using IE11 with the **Send all intranet sites to IE** group policy. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. ->[!NOTE] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). -## Fix specific websites +[!INCLUDE [interoperability-goals-enterprise-guidance](../includes/interoperability-goals-enterprise-guidance.md)] -Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and need IE11, you can add them to the Enterprise Mode site list, using the Enterprise Mode Site List Manager. +## Enterprise guidance +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that rely on ActiveX controls, continue using Internet Explorer 11 for the web apps to work correctly. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Also, if you use an earlier version of Internet Explorer, upgrade to IE11. -**To add sites to your list** +Windows 7, Windows 8, and Windows 10 support IE11 so that you can continue using legacy apps even as you migrate to Windows 10 and Microsoft Edge. -1. In the Enterprise Mode Site List Manager, click **Add**.

If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](https://go.microsoft.com/fwlink/p/?LinkId=618322).

![Enterprise Mode Site List Manager with Open in IE box](images/emie_open_in_ie.png) +If you're having trouble deciding whether Microsoft Edge is right for your organization, then take a look at the infographic about the potential impact of using Microsoft Edge in an organization. -2. Type or paste the URL for the website that’s experiencing compatibility problems, like *<domain>*.com or *<domain>*.com/*<path>* into the **URL** box.

You don’t need to include the `http://` or `https://` designation. The tool will automatically try both versions during validation. - -3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. - -4. Click **Open in IE** next to the URL that should automatically open in IE11.

The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, Enterprise Mode is automatically selected. - -5. Click **Save** to validate your website and to add it to the site list for your enterprise.

If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway. - -6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.

You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your Group Policy setting. For more info, see [Turn on Enterprise Mode and use a site list](https://go.microsoft.com/fwlink/p/?LinkId=618952). - -### Set up Microsoft Edge to use the Enterprise Mode site list - -You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). - -> **Note**
-> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.

If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one. - -**To turn on Enterprise Mode using Group Policy** - -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.

Turning this setting on also requires you to create and store a site list.

![Local Group Policy Editor for using a site list](images/edge-emie-grouppolicysitelist.png) - -2. Click **Enabled**, and then in the **Options** area, type the location to your site list. - -3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. - -**To turn on Enterprise Mode using the registry** - -1. **To turn on Enterprise Mode for all users on the PC:** Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`. - -2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:

![Enterprise mode with site list in the registry](images/edge-emie-registrysitelist.png) - - - **HTTP location**: *“SiteList”=”http://localhost:8080/sites.xml”* - - - **Local network**: *"SiteList"="\\\network\\shares\\sites.xml"* - - - **Local file**: *"SiteList"="file:///c:/Users/<username>/Documents/testList.xml"* - - All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list. +![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)
+[Click to enlarge](img-microsoft-edge-infographic-lg.md)
+[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892) +|Microsoft Edge |IE11 | +|---------|---------| +|Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.

|IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. | -3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. -## Fix your intranet sites +## Configure the Enterprise Mode Site List +[Available policy options](includes/configure-enterprise-mode-site-list-include.md) -You can add the **Send all intranet traffic over to Internet Explorer** Group Policy setting for Windows 10 so that all of your intranet sites open in IE11. This means that even if your employees are using Microsoft Edge, they will automatically switch to IE11 while viewing the intranet. - -> **Note**
-> If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). - -**To turn on Sends all intranet traffic over to Internet Explorer using Group Policy** - -1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting. - - ![Local Group Policy Editor with setting to send all intranet traffic to IE11](images/sendintranettoie.png) - -2. Click **Enabled**. - -3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.

The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is. ## Related topics -* [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035) -* [Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 download](https://go.microsoft.com/fwlink/p/?LinkId=394378) -* [Enterprise Mode Site List Manager for Windows 10 download](https://go.microsoft.com/fwlink/?LinkId=746562) -* [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377) -* [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714) -  +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035) +- [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377) +- [Download the Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) +- [Download the Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378) +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager) +- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) +- [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) +- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index) +- [Internet Explorer 11 (IE11) - Deployment Guide for IT Pros](https://go.microsoft.com/fwlink/p/?LinkId=760644) +- [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) +- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md deleted file mode 100644 index 352bb35dff..0000000000 --- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md +++ /dev/null @@ -1,59 +0,0 @@ ---- -title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros) -description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11. -author: shortpatti -ms.prod: edge -ms.mktglfcycl: support -ms.sitesec: library -ms.pagetype: appcompat -ms.localizationpriority: medium -ms.date: 10/16/2017 ---- - -# Browser: Microsoft Edge and Internet Explorer 11 -**Microsoft Edge content applies to:** - -- Windows 10 -- Windows 10 Mobile - -**Internet Explorer 11 content applies to:** - -- Windows 10 - -## Enterprise guidance -Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). - -We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10. - -If you're having trouble deciding whether Microsoft Edge is good for your organization, you can take a look at this infographic about the potential impact of using Microsoft Edge in an organization. - -![Microsoft Edge infographic](images/microsoft-edge-infographic-sm.png)
-[Click to enlarge](img-microsoft-edge-infographic-lg.md)
-[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892) - -### Microsoft Edge -Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana. - -- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages. -- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing. -- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage. -- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls. - -### IE11 -IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support. - -- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE. -- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps. -- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk. -- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering. -- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices. -- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control. - -## Related topics -- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892) -- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) -- [Download Internet Explorer 11](https://windows.microsoft.com/internet-explorer/download-ie) -- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index) -- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index) -- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index) -- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11) diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md index 39cc4f17f8..b8b82b3882 100644 --- a/browsers/edge/group-policies/address-bar-settings-gp.md +++ b/browsers/edge/group-policies/address-bar-settings-gp.md @@ -1,18 +1,26 @@ --- -title: Microsoft Edge - Address bar settings -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Address bar group policies +description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/29/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Address bar settings +# Address bar + +Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** @@ -20,4 +28,5 @@ ms.sitesec: library [!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)] ## Configure search suggestions in Address bar -[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] \ No newline at end of file +[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)] + diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md index 36461a27fe..3ad76e0397 100644 --- a/browsers/edge/group-policies/adobe-settings-gp.md +++ b/browsers/edge/group-policies/adobe-settings-gp.md @@ -1,20 +1,29 @@ --- -title: Microsoft Edge - Adobe settings -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Adobe Flash group policies +description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Adobe settings +# Adobe Flash + +Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. + +To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow Adobe Flash [!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)] diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md index 2851dafc5b..d2e9d6ea91 100644 --- a/browsers/edge/group-policies/books-library-management-gp.md +++ b/browsers/edge/group-policies/books-library-management-gp.md @@ -1,21 +1,27 @@ --- -title: Microsoft Edge - Books Library management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Books Library group policies +description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Books Library management +# Books Library + +Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data. +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow a shared books folder [!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)] diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md index 213c901cfb..2570cc3c69 100644 --- a/browsers/edge/group-policies/browser-settings-management-gp.md +++ b/browsers/edge/group-policies/browser-settings-management-gp.md @@ -1,25 +1,35 @@ --- -title: Microsoft Edge - Browser settings management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Browser experience group policies +description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Browser settings management +# Browser experience + +Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users. +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow clearing browsing data on exit [!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)] +## Allow fullscreen mode +[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)] + ## Allow printing [!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)] @@ -35,11 +45,7 @@ ms.sitesec: library ## Do not sync [!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)] -## Do not sync browser settings -[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)] +To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md). diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md index 9108424f87..ca4870ac95 100644 --- a/browsers/edge/group-policies/developer-settings-gp.md +++ b/browsers/edge/group-policies/developer-settings-gp.md @@ -1,21 +1,26 @@ --- -title: Microsoft Edge - Developer settings -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Developer tools +description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +managre: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Developer settings +# Developer tools +Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page. +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow Developer Tools [!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)] diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md index 5f85feab3f..3a7fc2dfe5 100644 --- a/browsers/edge/group-policies/extensions-management-gp.md +++ b/browsers/edge/group-policies/extensions-management-gp.md @@ -1,20 +1,26 @@ --- -title: Microsoft Edge - Extensions management -description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result. +title: Microsoft Edge - Extensions group policies +description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. services: -keywords: Don’t add or edit keywords without consulting your SEO champ. +keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 09/05/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Extensions management +# Extensions +Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions. +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow Extensions [!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)] diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md index e488c71611..13c415afdf 100644 --- a/browsers/edge/group-policies/favorites-management-gp.md +++ b/browsers/edge/group-policies/favorites-management-gp.md @@ -1,20 +1,29 @@ --- -title: Microsoft Edge - Favorites management -description: +title: Microsoft Edge - Favorites group policies +description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. services: keywords: +ms.localizationpriority: medium +manager: dougkim author: shortpatti ms.author: pashort -ms.date: 07/25/2018 -ms.topic: article +ms.date: 10/02/2018 +ms.topic: reference ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library --- -# Favorites management +# Favorites +You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other. +>[!TIP] +>You can find the Favorites under C:\\Users\\<_username_>\\Favorites. + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configure Favorites Bar [!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)] diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md index 5d7808dfa9..3f22c2897d 100644 --- a/browsers/edge/group-policies/home-button-gp.md +++ b/browsers/edge/group-policies/home-button-gp.md @@ -1,18 +1,20 @@ --- -title: Microsoft Edge - Home button configuration options -description: Microsoft Edge shows the home button and by clicking it the Start page loads by default. +title: Microsoft Edge - Home button group policies +description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/23/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- -# Home button configuration options ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* +# Home button -Microsoft Edge shows the home button and by clicking it the Start page loads by default. You can configure the Home button to load the New tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. +Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button. ## Relevant group policies @@ -20,10 +22,13 @@ Microsoft Edge shows the home button and by clicking it the Start page loads by - [Set Home Button URL](#set-home-button-url) - [Unlock Home Button](#unlock-home-button) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configuration options -![Show home button and load Start page or New tab page](../images/home-button-start-new-tab-page-v4-sm.png) +![Show home button and load Start page or New Tab page](../images/home-button-start-new-tab-page-v4-sm.png) ![Show home button and load custom URL](../images/home-buttom-custom-url-v4-sm.png) diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml index 1918d89136..6e7a2ccb42 100644 --- a/browsers/edge/group-policies/index.yml +++ b/browsers/edge/group-policies/index.yml @@ -12,7 +12,7 @@ metadata: description: Learn how to configure group policies in Microsoft Edge on Windows 10. - text: Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. keywords: Microsoft Edge, Windows 10, Windows 10 Mobile @@ -22,7 +22,7 @@ metadata: ms.author: pashort - ms.date: 07/26/2018 + ms.date: 10/02/2018 ms.topic: article @@ -50,17 +50,7 @@ sections: items: - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies - - html:

View all available group policies for Microsoft Edge on Windows 10.

- - image: - - src: https://docs.microsoft.com/media/common/i_policy.svg - - title: All group policies - - - href: address-bar-settings-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/address-bar-settings-gp html:

Learn how you can configure Microsoft Edge to show search suggestions in the address bar.

@@ -68,9 +58,9 @@ sections: src: https://docs.microsoft.com/media/common/i_http.svg - title: Address bar settings + title: Address bar - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/adobe-settings-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/adobe-settings-gp html:

Learn how you can configure Microsoft Edge to load Adobe Flash content automatically.

@@ -78,9 +68,9 @@ sections: src: https://docs.microsoft.com/media/common/i_setup.svg - title: Adobe Flash settings + title: Adobe Flash - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/books-library-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/books-library-management-gp html:

Learn how you can set up and use the books library, such as using a shared books folder for students and teachers.

@@ -88,9 +78,9 @@ sections: src: https://docs.microsoft.com/media/common/i_library.svg - title: Books library management + title: Books Library - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/browser-settings-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/browser-settings-management-gp html:

Learn how you can customize the browser settings, such as printing and saving browsing history, plus more.

@@ -98,19 +88,9 @@ sections: src: https://docs.microsoft.com/media/common/i_management.svg - title: Browser settings + title: Browser experience - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy - - html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

- - image: - - src: https://docs.microsoft.com/media/common/i_categorize.svg - - title: Deploy Microsoft Edge kiosk mode - - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/developer-settings-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp html:

Learn how configure Microsoft Edge for development and testing.

@@ -118,19 +98,9 @@ sections: src: https://docs.microsoft.com/media/common/i_config-tools.svg - title: Developer tools & settings + title: Developer tools - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp - - html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

- - image: - - src: https://docs.microsoft.com/media/common/i_management.svg - - title: Enterprise mode - - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/extensions-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/extensions-management-gp html:

Learn how you can configure Microsoft Edge to either prevent or allow users to install and run unverified extensions.

@@ -138,9 +108,9 @@ sections: src: https://docs.microsoft.com/media/common/i_extensions.svg - title: Extensions management + title: Extensions - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/favorites-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/favorites-management-gp html:

Learn how you can provision a standard favorites list as well as keep the favorites lists in sync between IE11 and Microsoft Edge.

@@ -148,9 +118,9 @@ sections: src: https://docs.microsoft.com/media/common/i_link.svg - title: Favorites management + title: Favorites - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/home-button-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/home-button-gp html:

Learn how you can customize the home button or hide it.

@@ -158,19 +128,39 @@ sections: src: https://docs.microsoft.com/media/common/i_setup.svg - title: Home button settings + title: Home button - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp - html:

Learn how to configure the New tab page in Microsoft Edge.

+ html:

Learn how you use Microsoft Edge and Internet Explorer together for a full browsing experience.

+ + image: + + src: https://docs.microsoft.com/media/common/i_management.svg + + title: Interoperability and enterprise guidance + + - href: https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy + + html:

Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.

+ + image: + + src: https://docs.microsoft.com/media/common/i_categorize.svg + + title: Kiosk mode deployment in Microsoft Edge + + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/new-tab-page-settings-gp + + html:

Learn how to configure the New Tab page in Microsoft Edge.

image: src: https://docs.microsoft.com/media/common/i_setup.svg - title: New tab page settings + title: New Tab page - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/prelaunch-preload-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/prelaunch-preload-gp html:

Learn how pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.

@@ -178,9 +168,9 @@ sections: src: https://docs.microsoft.com/media/common/i_setup.svg - title: Prelaunch Microsoft Edge and preload tabs + title: Prelaunch Microsoft Edge and preload tabs - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/search-engine-customization-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/search-engine-customization-gp html:

Learn how you can set the default search engine and configure additional ones.

@@ -188,9 +178,9 @@ sections: src: https://docs.microsoft.com/media/common/i_search.svg - title: Search engine management + title: Search engine customization - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp html:

Learn how you can keep your environment and users safe from attacks.

@@ -198,9 +188,9 @@ sections: src: https://docs.microsoft.com/media/common/i_security-management.svg - title: Security & privacy management + title: Security and privacy - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/start-pages-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/start-pages-gp html:

Learn how to configure the Start pages in Microsoft Edge.

@@ -208,19 +198,19 @@ sections: src: https://docs.microsoft.com/media/common/i_setup.svg - title: Start page settings + title: Start page - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/sync-browser-settings-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/sync-browser-settings-gp - html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the the Sync your Settings toggle.

+ html:

Learn how to you can prevent the "browser" group from syncing and prevent users from turning on the Sync your Settings toggle.

image: src: https://docs.microsoft.com/media/common/i_sync.svg - title: Sync browser settings + title: Sync browser - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/telemetry-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/telemetry-management-gp html:

Learn how you can configure Microsoft Edge to collect certain data.

@@ -229,3 +219,13 @@ sections: src: https://docs.microsoft.com/media/common/i_data-collection.svg title: Telemetry and data collection + + - href: https://docs.microsoft.com/microsoft-edge/deploy/available-policies + + html:

View all available group policies for Microsoft Edge on Windows 10.

+ + image: + + src: https://docs.microsoft.com/media/common/i_policy.svg + + title: All group policies diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md index 9168988d09..9e39200fe0 100644 --- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md +++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md @@ -1,58 +1,78 @@ --- -title: Microsoft Edge - Interoperability and enterprise guidance -description: +title: Microsoft Edge - Interoperability and enterprise mode guidance +description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. +ms.localizationpriority: medium +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/23/2018 +ms.date: 10/02/2018 ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- -# Interoperability and enterprise guidance ->*Supported versions: Microsoft Edge on Windows 10* +# Interoperability and enterprise mode guidance + +Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + +>[!TIP] +>If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. + +**Technology not supported by Microsoft Edge** -Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. - - ->[!TIP] -> If you are running an earlier version of Internet Explorer, then we recommend upgrading to IE11, so any legacy apps continue to work correctly. - -**Technology not supported by Microsoft Edge** - ActiveX controls + +- Browser Helper Objects + +- VBScript + - x-ua-compatible headers -- <meta> tags + +- \ tags + - Legacy document modes - - ->[!TIP] ->You can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](../emie-to-improve-compatibility.md). - - -If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. ## Relevant group policies -1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) -2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) -3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) -4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) +1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list) + +2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11) + +3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer) + +4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options ![Use Enterprise Mode with Microsoft Edge to improve compatibility](../images/use-enterprise-mode-with-microsoft-edge-sm.png) + ## Configure the Enterprise Mode Site List -[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + +[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)] + ## Send all intranet sites to Internet Explorer 11 + [!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)] -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] -## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge -[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] \ No newline at end of file +## Show message when opening sites in Internet Explorer + +[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)] + + +## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge + +[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)] diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md index bc6f5d500d..b18871a3e6 100644 --- a/browsers/edge/group-policies/new-tab-page-settings-gp.md +++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md @@ -1,20 +1,45 @@ --- -title: Microsoft Edge - New tab page -description: Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. +title: Microsoft Edge - New Tab page group policies +description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- -# New tab page +# New Tab page +Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads. -Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. +>[!NOTE] +>New tab pages do not load while running InPrivate mode. + +## Relevant group policies + +- [Set New Tab page URL](#set-new-tab-page-url) +- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page) + +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load the default New Tab page](../images/load-default-new-tab-page-sm.png) + +![Load a blank page instead of the default New Tab page](../images/load-blank-page-not-new-tab-page-sm.png) + +![Let users choose what loads](../images/users-choose-new-tab-page-sm.png) ## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] \ No newline at end of file +[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)] + +## Allow web content on New Tab page +[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)] \ No newline at end of file diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md index e5558942b9..8baa1858bb 100644 --- a/browsers/edge/group-policies/prelaunch-preload-gp.md +++ b/browsers/edge/group-policies/prelaunch-preload-gp.md @@ -1,31 +1,35 @@ --- -title: Microsoft Edge - Prelaunch and tab preload configuration options +title: Microsoft Edge - Prelaunch and tab preload group policies description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium +ms.topic: reference --- -# Prelaunch Microsoft Edge and preload tabs in the background - - +# Prelaunch Microsoft Edge and preload tabs in the background Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching. -Additionally, Microsoft Edge preloads the Start and New tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. +Additionally, Microsoft Edge preloads the Start and New Tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs. ## Relevant group policies - [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) -- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) +- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configuration options -![Only preload the Start and New tab pages during Windows startup](../images/preload-tabs-only-sm.png) +![Only preload the Start and New Tab pages during Windows startup](../images/preload-tabs-only-sm.png) -![Prelauch Microsoft Edge and preload Start and New tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) +![Prelauch Microsoft Edge and preload Start and New Tab pages](../images/prelaunch-edge-and-preload-tabs-sm.png) ![Only prelaunch Microsoft Edge during Windows startup](../images/prelaunch-edge-only-sm.png) diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md index 1ce3437a76..75677a0ec8 100644 --- a/browsers/edge/group-policies/search-engine-customization-gp.md +++ b/browsers/edge/group-policies/search-engine-customization-gp.md @@ -1,14 +1,17 @@ --- -title: Microsoft Edge - Search engine customization -description: By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. +title: Microsoft Edge - Search engine customization group policies +description: Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium +ms.topic: reference --- -# Search engine customization +# Search engine customization -By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. You can also prevent users from making changes to the search engine settings. +Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default. ## Relevant group policies @@ -16,6 +19,11 @@ By default, Microsoft Edge uses the default search engine specified in App setti - [Allow search engine customization](#allow-search-engine-customization) - [Configure additional search engines](#configure-additional-search-engines) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options ![Set default search engine configurations](../images/set-default-search-engine-v4-sm.png) diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md index 2af6f28da2..cf137c8439 100644 --- a/browsers/edge/group-policies/security-privacy-management-gp.md +++ b/browsers/edge/group-policies/security-privacy-management-gp.md @@ -1,12 +1,15 @@ --- -title: Microsoft Edge - Security and privacy management +title: Microsoft Edge - Security and privacy group policies description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/27/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium +ms.topic: reference --- -# Security and privacy management +# Security and privacy Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes. @@ -14,7 +17,11 @@ Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components. +For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below. +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configure cookies [!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)] @@ -38,14 +45,28 @@ The value of running 64-bit all the time is that it strengthens Windows Address [!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)] +## Help protect against web-based security threats -| | | +While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats. + +Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference. + +Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device. + +Microsoft Edge addresses these threats to help make browsing the web a safer experience. + + +| Feature | Description | |---|---| -| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Authenticates the user and the website with asymmetric cryptography technology. Microsoft Edge natively supports Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). | -| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any site that is thought to be a phishing site. SmartScreen also helps to defend against installing malicious software or file downloads, even from trusted sites. | -| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically. | -| **Microsoft EdgeHTML** | Defends against hacking through the following security standards features: | -| **Code integrity and image loading restrictions** | Prevents malicious DLLs from loading or injecting into the content processes. Only signed images are allowed to load in Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. | -| **Memory corruption mitigations** | Defends against memory corruption weaknesses and vulnerabilities with the use of [CWE-416: Use After Free](http://cwe.mitre.org/data/definitions/416.html) (UAF). | -| **Memory Garbage Collector (MemGC) mitigation** | Replaces Memory Protector and helps to defend the browser from UAF vulnerabilities by freeing memory from the programmer and automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. | -| **Control Flow Guard** | Compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only going to function entry points with known addresses. Control Flow Guard is a Microsoft Visual Studio technology. | \ No newline at end of file +| **[Windows Hello](https://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](https://w3c.github.io/webauthn/). | +| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. | +| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include | +| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:

**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. | +| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. | +| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](https://cwe.mitre.org/data/definitions/416.html) vulnerabilities. | +| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. | +| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. | +| **All web content runs in an app container sandbox** |Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. | +| **Extension model and HTML5 support** |Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). | +| **Reduced attack surfaces** |Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.

It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. | +--- diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md index ddb428bcc4..55df08e642 100644 --- a/browsers/edge/group-policies/start-pages-gp.md +++ b/browsers/edge/group-policies/start-pages-gp.md @@ -1,19 +1,20 @@ --- -title: Microsoft Edge - Start pages -description: Configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. +title: Microsoft Edge - Start pages group policies +description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/25/2018 +ms.localizationpriority: medium +ms.date: 10/02/2018 ms.prod: edge ms.mktglfcycl: explore ms.sitesec: library +ms.topic: reference --- -# Start pages configuration options ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* +# Start pages - -Microsoft Edge loads the pages specified in App settings as the default Start pages. You can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. +Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes. ## Relevant group policies @@ -21,8 +22,13 @@ Microsoft Edge loads the pages specified in App settings as the default Start pa - [Configure Start Pages](#configure-start-pages) - [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: -![Load URLs defined in Configure Start Pages](../images/load-urls-defined-in-configure-open-edge-with-main-sm.png) +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** + +## Configuration options + +![Load URLs defined in Configure Start pages](../images/load-urls-defined-in-configure-open-edge-with-sm.png) ## Configure Open Microsoft Edge With @@ -34,16 +40,3 @@ Microsoft Edge loads the pages specified in App settings as the default Start pa ## Disable Lockdown of Start pages [!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)] - -### Configuration options - -| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** | -| --- | --- | --- | --- | -| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. | -| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | Load any start page and let users make changes .| -| Enabled (Start page) | Enabled – String | Blank or not configured | Load Start page(s) and prevent users from making changes. | -| Enabled (New tab page) | Enabled – String | Blank or not configured | Load New tab page and prevent users from making changes. | -| Enabled (Previous pages) | Enabled – String | Blank or not configured | Load previously opened pages and prevent users from making changes. | -| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | Load a specific page or pages and prevent users from making changes. | -| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | Load a specific page or pages and let users make changes. | ---- \ No newline at end of file diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md index 957e790520..aac83e87ca 100644 --- a/browsers/edge/group-policies/sync-browser-settings-gp.md +++ b/browsers/edge/group-policies/sync-browser-settings-gp.md @@ -1,12 +1,15 @@ --- -title: Microsoft Edge - Sync browser settings options -description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. +title: Microsoft Edge - Sync browser settings +description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 08/06/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium +ms.topic: reference --- -# Sync browser settings options +# Sync browser settings By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. @@ -16,6 +19,9 @@ By default, the “browser” group syncs automatically between the user’s dev - [Do not sync browser settings](#do-not-sync-browser-settings) - [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing) +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Configuration options @@ -24,8 +30,8 @@ By default, the “browser” group syncs automatically between the user’s dev ![Prevent syncing of browser settings](../images/prevent-syncing-browser-settings-sm.png) -## Verify the configuration -To verify if syncing is turned on or off: +### Verify the configuration +To verify the settings: 1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\). 2. Click **Settings**. 3. Under Account, see if the setting is toggled on or off.

![Verify configuration](../images/sync-settings.PNG) diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md index 242ecf0298..c83cd2848c 100644 --- a/browsers/edge/group-policies/telemetry-management-gp.md +++ b/browsers/edge/group-policies/telemetry-management-gp.md @@ -1,14 +1,21 @@ --- -title: Microsoft Edge - Telemetry and data collection -description: +title: Microsoft Edge - Telemetry and data collection group policies +description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. +manager: dougkim ms.author: pashort author: shortpatti -ms.date: 07/29/2018 +ms.date: 10/02/2018 +ms.localizationpriority: medium +ms.topic: reference --- -# Telemetry and data collection +# Telemetry and data collection +Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information. +You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\** ## Allow extended telemetry for the Books tab [!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)] @@ -16,11 +23,8 @@ ms.date: 07/29/2018 ## Configure collection of browsing data for Microsoft 365 Analytics [!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)] - - ## Configure Do Not Track [!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)] - ## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start [!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)] \ No newline at end of file diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md deleted file mode 100644 index 307e1293de..0000000000 --- a/browsers/edge/hardware-and-software-requirements.md +++ /dev/null @@ -1,167 +0,0 @@ ---- -description: Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. -ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa -author: shortpatti -ms.prod: edge -ms.mktglfcycl: support -ms.sitesec: library -ms.pagetype: appcompat -title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 07/27/2017 ---- - -# Microsoft Edge requirements and language support - ->Applies to: Windows 10, Windows 10 Mobile - - -Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list. - ->[!NOTE] ->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. - -## Minimum system requirements -Some of the components in this table might also need additional system resources. Check the component's documentation for more information. - - -| Item | Minimum requirements | -| ------------------ | -------------------------------------------- | -| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) | -| Operating system |

**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. | -| Memory |

| -| Hard drive space | | -| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) | -| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors | -| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver | -| Peripherals | Internet connection and a compatible pointing device | - -  - -## Supported languages - - -Microsoft Edge supports all of the same languages as Windows 10, including: - - -| Language | Country/Region | Code | -| ------------------------ | -------------- | ------ | -| Afrikaans (South Africa) | South Africa | af-ZA | -| Albanian (Albania) | Albania | sq-AL | -| Amharic | Ethiopia | am-ET | -| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA | -| Armenian | Armenia | hy-AM | -| Assamese | India | as-IN | -| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ | -| Bangla (Bangladesh) | Bangladesh | bn-BD | -| Bangla (India) | India | bn-IN | -| Basque (Basque) | Spain | eu-ES | -| Belarusian (Belarus) | Belarus | be-BY | -| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA | -| Bulgarian (Bulgaria) | Bulgaria | bg-BG | -| Catalan (Catalan) | Spain | ca-ES | -| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ | -| Cherokee (Cherokee) | United States | chr-Cher-US | -| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK | -| Chinese (Simplified, China) | People's Republic of China | zh-CN | -| Chinese (Traditional, Taiwan) | Taiwan | zh-TW | -| Croatian (Croatia) | Croatia | hr-HR | -| Czech (Czech Republic) | Czech Republic | cs-CZ | -| Danish (Denmark) | Denmark | da-DK | -| Dari | Afghanistan | prs-AF | -| Dutch (Netherlands) | Netherlands | nl-NL | -| English (United Kingdom) | United Kingdom | en-GB | -| English (United States) | United States | en-US | -| Estonian (Estonia) | Estonia | et-EE | -| Filipino (Philippines) | Philippines | fil-PH | -| Finnish (Finland) | Finland | fi_FI | -| French (Canada) | Canada | fr-CA | -| French (France) | France | fr-FR | -| Galician (Galician) | Spain | gl-ES | -| Georgian | Georgia | ka-GE | -| German (Germany) | Germany | de-DE | -| Greek (Greece) | Greece | el-GR | -| Gujarati | India | gu-IN | -| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG | -| Hebrew (Israel) | Israel | he-IL | -| Hindi (India) | India | hi-IN | -| Hungarian (Hungary) | Hungary | hu-HU | -| Icelandic | Iceland | is-IS | -| Igbo | Nigeria | ig-NG | -| Indonesian (Indonesia) | Indonesia | id-ID | -| Irish | Ireland | ga-IE | -| isiXhosa | South Africa | xh-ZA | -| isiZulu | South Africa | zu-ZA | -| Italian (Italy) | Italy | it-IT | -| Japanese (Japan) | Japan | ja-JP | -| Kannada | India | kn-IN | -| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ | -| Khmer (Cambodia) | Cambodia | km-KH | -| K'iche' | Guatemala | quc-Latn-GT | -| Kinyarwanda | Rwanda | rw-RW | -| KiSwahili | Kenya, Tanzania | sw-KE | -| Konkani | India | kok-IN | -| Korean (Korea) | Korea | ko-KR | -| Kyrgyz | Kyrgyzstan | ky-KG | -| Lao (Laos) | Lao P.D.R. | lo-LA | -| Latvian (Latvia) | Latvia | lv-LV | -| Lithuanian (Lithuania) | Lithuania | lt-LT | -| Luxembourgish (Luxembourg) | Luxembourg | lb-LU | -| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK | -| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY | -| Malayalam | India | ml-IN | -| Maltese | Malta | mt-MT | -| Maori | New Zealand | mi-NZ | -| Marathi | India | mr-IN | -| Mongolian (Cyrillic) | Mongolia | mn-MN | -| Nepali | Federal Democratic Republic of Nepal | ne-NP | -| Norwegian (Nynorsk) | Norway | nn-NO | -| Norwegian, Bokmål (Norway) | Norway | nb-NO | -| Odia | India | or-IN | -| Polish (Poland) | Poland | pl-PL | -| Portuguese (Brazil) | Brazil | pt-BR | -| Portuguese (Portugal) | Portugal | pt-PT | -| Punjabi | India | pa-IN | -| Punjabi (Arabic) | Pakistan | pa-Arab-PK | -| Quechua | Peru | quz-PE | -| Romanian (Romania) | Romania | ro-RO | -| Russian (Russia) | Russia | ru-RU | -| Scottish Gaelic | United Kingdom | gd-GB | -| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA | -| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS | -| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS | -| Sesotho sa Leboa | South Africa | nso-ZA | -| Setswana (South Africa) | South Africa and Botswana | tn-ZA | -| Sindhi (Arabic) | Pakistan | sd-Arab-PK | -| Sinhala | Sri Lanka | si-LK | -| Slovak (Slovakia) | Slovakia | sk-SK | -| Slovenian (Slovenia) | Slovenia | sl-SL | -| Spanish (Mexico) | Mexico | es-MX | -| Spanish (Spain, International Sort) | Spain | en-ES | -| Swedish (Sweden) | Sweden | sv-SE | -| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ | -| Tamil (India) | India and Sri Lanka | ta-IN | -| Tatar | Russia | tt-RU | -| Telugu | India | te-IN | -| Thai (Thailand) | Thailand | th-TH | -| Tigrinya (Ethiopia) | Ethiopia | ti-ET | -| Turkish (Turkey) | Turkey | tr-TR | -| Turkmen | Turkmenistan | tk-TM | -| Ukrainian (Ukraine) | Ukraine | uk-UA | -| Urdu | Pakistan | ur-PK | -| Uyghur | People's Republic of China | ug-CN | -| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ | -| Valencian | Spain | ca-ES-valencia | -| Vietnamese | Vietnam | vi-VN | -| Welsh | United Kingdom | cy-GB | -| Wolof | Senegal | wo-SN | -| Yoruba | Nigeria | yo-NG | - -  - -  - -  - - - diff --git a/browsers/edge/images/Multi-app_kiosk_inFrame.png b/browsers/edge/images/Multi-app_kiosk_inFrame.png deleted file mode 100644 index a1c62f8ffe..0000000000 Binary files a/browsers/edge/images/Multi-app_kiosk_inFrame.png and /dev/null differ diff --git a/browsers/edge/images/Normal_inFrame.png b/browsers/edge/images/Normal_inFrame.png deleted file mode 100644 index fccb0d4e56..0000000000 Binary files a/browsers/edge/images/Normal_inFrame.png and /dev/null differ diff --git a/browsers/edge/images/Picture1-sm.png b/browsers/edge/images/Picture1-sm.png new file mode 100644 index 0000000000..e5dddbd698 Binary files /dev/null and b/browsers/edge/images/Picture1-sm.png differ diff --git a/browsers/edge/images/Picture1.png b/browsers/edge/images/Picture1.png new file mode 100644 index 0000000000..a7cd8ea4a0 Binary files /dev/null and b/browsers/edge/images/Picture1.png differ diff --git a/browsers/edge/images/Picture2-sm.png b/browsers/edge/images/Picture2-sm.png new file mode 100644 index 0000000000..ad6cebca98 Binary files /dev/null and b/browsers/edge/images/Picture2-sm.png differ diff --git a/browsers/edge/images/Picture2.png b/browsers/edge/images/Picture2.png new file mode 100644 index 0000000000..665e3d2578 Binary files /dev/null and b/browsers/edge/images/Picture2.png differ diff --git a/browsers/edge/images/Picture5-sm.png b/browsers/edge/images/Picture5-sm.png new file mode 100644 index 0000000000..705fcecdd3 Binary files /dev/null and b/browsers/edge/images/Picture5-sm.png differ diff --git a/browsers/edge/images/Picture5.png b/browsers/edge/images/Picture5.png new file mode 100644 index 0000000000..9e11775911 Binary files /dev/null and b/browsers/edge/images/Picture5.png differ diff --git a/browsers/edge/images/Picture6-sm.png b/browsers/edge/images/Picture6-sm.png new file mode 100644 index 0000000000..1b020cf8fb Binary files /dev/null and b/browsers/edge/images/Picture6-sm.png differ diff --git a/browsers/edge/images/Picture6.png b/browsers/edge/images/Picture6.png new file mode 100644 index 0000000000..b5d9d8401d Binary files /dev/null and b/browsers/edge/images/Picture6.png differ diff --git a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png deleted file mode 100644 index b7dfc0ee28..0000000000 Binary files a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png and /dev/null differ diff --git a/browsers/edge/images/allow-shared-books-folder_sm.png b/browsers/edge/images/allow-shared-books-folder_sm.png index fc49829b14..0eb5feb868 100644 Binary files a/browsers/edge/images/allow-shared-books-folder_sm.png and b/browsers/edge/images/allow-shared-books-folder_sm.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4-sm.png b/browsers/edge/images/home-buttom-custom-url-v4-sm.png index 397b46c75b..dcacfdd7cf 100644 Binary files a/browsers/edge/images/home-buttom-custom-url-v4-sm.png and b/browsers/edge/images/home-buttom-custom-url-v4-sm.png differ diff --git a/browsers/edge/images/home-buttom-custom-url-v4.png b/browsers/edge/images/home-buttom-custom-url-v4.png deleted file mode 100644 index db47a93117..0000000000 Binary files a/browsers/edge/images/home-buttom-custom-url-v4.png and /dev/null differ diff --git a/browsers/edge/images/home-button-hide-sm.png b/browsers/edge/images/home-button-hide-sm.png deleted file mode 100644 index beab1c22ef..0000000000 Binary files a/browsers/edge/images/home-button-hide-sm.png and /dev/null differ diff --git a/browsers/edge/images/home-button-hide-v4-sm.png b/browsers/edge/images/home-button-hide-v4-sm.png index fe21f0523c..adf5961b64 100644 Binary files a/browsers/edge/images/home-button-hide-v4-sm.png and b/browsers/edge/images/home-button-hide-v4-sm.png differ diff --git a/browsers/edge/images/home-button-hide-v4.png b/browsers/edge/images/home-button-hide-v4.png deleted file mode 100644 index 761143f0c8..0000000000 Binary files a/browsers/edge/images/home-button-hide-v4.png and /dev/null differ diff --git a/browsers/edge/images/home-button-hide.png b/browsers/edge/images/home-button-hide.png deleted file mode 100644 index 761143f0c8..0000000000 Binary files a/browsers/edge/images/home-button-hide.png and /dev/null differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png index 7b04f17b28..5f4d97445d 100644 Binary files a/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png and b/browsers/edge/images/home-button-start-new-tab-page-v4-sm.png differ diff --git a/browsers/edge/images/home-button-start-new-tab-page-v4.png b/browsers/edge/images/home-button-start-new-tab-page-v4.png deleted file mode 100644 index 599ebeb8df..0000000000 Binary files a/browsers/edge/images/home-button-start-new-tab-page-v4.png and /dev/null differ diff --git a/browsers/edge/images/icon-thin-line-computer.png b/browsers/edge/images/icon-thin-line-computer.png index e941caf0c1..d7fc810e2f 100644 Binary files a/browsers/edge/images/icon-thin-line-computer.png and b/browsers/edge/images/icon-thin-line-computer.png differ diff --git a/browsers/edge/images/kiosk-mode-types.png b/browsers/edge/images/kiosk-mode-types.png deleted file mode 100644 index 1ae43b31ac..0000000000 Binary files a/browsers/edge/images/kiosk-mode-types.png and /dev/null differ diff --git a/browsers/edge/images/load-any-start-page-let-users-make-changes.png b/browsers/edge/images/load-any-start-page-let-users-make-changes.png deleted file mode 100644 index fd4caf021e..0000000000 Binary files a/browsers/edge/images/load-any-start-page-let-users-make-changes.png and /dev/null differ diff --git a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png new file mode 100644 index 0000000000..5cd776f936 Binary files /dev/null and b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png differ diff --git a/browsers/edge/images/load-default-new-tab-page-sm.png b/browsers/edge/images/load-default-new-tab-page-sm.png new file mode 100644 index 0000000000..3fd9b6b714 Binary files /dev/null and b/browsers/edge/images/load-default-new-tab-page-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png deleted file mode 100644 index eb3987003d..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main-sm.png and /dev/null differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png deleted file mode 100644 index bf4dc617aa..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-main.png and /dev/null differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png index eacac1b216..f82383cb1d 100644 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png and b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with-sm.png differ diff --git a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png b/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png deleted file mode 100644 index eacac1b216..0000000000 Binary files a/browsers/edge/images/load-urls-defined-in-configure-open-edge-with.png and /dev/null differ diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png deleted file mode 100644 index ec794911b7..0000000000 Binary files a/browsers/edge/images/microsoft-edge-kiosk-mode.png and /dev/null differ diff --git a/browsers/edge/images/multi-app-kiosk-mode.PNG b/browsers/edge/images/multi-app-kiosk-mode.PNG deleted file mode 100644 index fd924f92b0..0000000000 Binary files a/browsers/edge/images/multi-app-kiosk-mode.PNG and /dev/null differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png index 823309be3e..2e0c2caaa5 100644 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png and b/browsers/edge/images/prelaunch-edge-and-preload-tabs-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png b/browsers/edge/images/prelaunch-edge-and-preload-tabs.png deleted file mode 100644 index a287ebb8fd..0000000000 Binary files a/browsers/edge/images/prelaunch-edge-and-preload-tabs.png and /dev/null differ diff --git a/browsers/edge/images/prelaunch-edge-only-sm.png b/browsers/edge/images/prelaunch-edge-only-sm.png index 365bddf96a..e5ae065226 100644 Binary files a/browsers/edge/images/prelaunch-edge-only-sm.png and b/browsers/edge/images/prelaunch-edge-only-sm.png differ diff --git a/browsers/edge/images/prelaunch-edge-only.png b/browsers/edge/images/prelaunch-edge-only.png deleted file mode 100644 index 975a745f3f..0000000000 Binary files a/browsers/edge/images/prelaunch-edge-only.png and /dev/null differ diff --git a/browsers/edge/images/preload-tabs-only-sm.png b/browsers/edge/images/preload-tabs-only-sm.png index 32089d3fce..1ea5a5af23 100644 Binary files a/browsers/edge/images/preload-tabs-only-sm.png and b/browsers/edge/images/preload-tabs-only-sm.png differ diff --git a/browsers/edge/images/preload-tabs-only.png b/browsers/edge/images/preload-tabs-only.png deleted file mode 100644 index 01181d6b82..0000000000 Binary files a/browsers/edge/images/preload-tabs-only.png and /dev/null differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings-sm.png b/browsers/edge/images/prevent-syncing-browser-settings-sm.png index 7bcdfcdc8c..fb88466201 100644 Binary files a/browsers/edge/images/prevent-syncing-browser-settings-sm.png and b/browsers/edge/images/prevent-syncing-browser-settings-sm.png differ diff --git a/browsers/edge/images/prevent-syncing-browser-settings.png b/browsers/edge/images/prevent-syncing-browser-settings.png deleted file mode 100644 index 6f98dc6c22..0000000000 Binary files a/browsers/edge/images/prevent-syncing-browser-settings.png and /dev/null differ diff --git a/browsers/edge/images/set-default-search-engine-v4-sm.png b/browsers/edge/images/set-default-search-engine-v4-sm.png index 44a5ae094a..cf43642b65 100644 Binary files a/browsers/edge/images/set-default-search-engine-v4-sm.png and b/browsers/edge/images/set-default-search-engine-v4-sm.png differ diff --git a/browsers/edge/images/set-default-search-engine-v4.png b/browsers/edge/images/set-default-search-engine-v4.png deleted file mode 100644 index 59528a3282..0000000000 Binary files a/browsers/edge/images/set-default-search-engine-v4.png and /dev/null differ diff --git a/browsers/edge/images/single-app-kiosk-mode.PNG b/browsers/edge/images/single-app-kiosk-mode.PNG deleted file mode 100644 index a939973c62..0000000000 Binary files a/browsers/edge/images/single-app-kiosk-mode.PNG and /dev/null differ diff --git a/browsers/edge/images/sync-browser-settings-automatically-sm.png b/browsers/edge/images/sync-browser-settings-automatically-sm.png index 25b68500d5..ff9695d64c 100644 Binary files a/browsers/edge/images/sync-browser-settings-automatically-sm.png and b/browsers/edge/images/sync-browser-settings-automatically-sm.png differ diff --git a/browsers/edge/images/sync-browser-settings-automatically.png b/browsers/edge/images/sync-browser-settings-automatically.png deleted file mode 100644 index 3f81196ebc..0000000000 Binary files a/browsers/edge/images/sync-browser-settings-automatically.png and /dev/null differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png index 99c2e9bf12..bc64f2dade 100644 Binary files a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png and b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge-sm.png differ diff --git a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png b/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png deleted file mode 100644 index 8a9b11ff19..0000000000 Binary files a/browsers/edge/images/use-enterprise-mode-with-microsoft-edge.png and /dev/null differ diff --git a/browsers/edge/images/users-choose-new-tab-page-sm.png b/browsers/edge/images/users-choose-new-tab-page-sm.png new file mode 100644 index 0000000000..21e7c7ea7f Binary files /dev/null and b/browsers/edge/images/users-choose-new-tab-page-sm.png differ diff --git a/browsers/edge/img-microsoft-edge-infographic-lg.md b/browsers/edge/img-microsoft-edge-infographic-lg.md index cb3a42f1b9..e9d8b67cc2 100644 --- a/browsers/edge/img-microsoft-edge-infographic-lg.md +++ b/browsers/edge/img-microsoft-edge-infographic-lg.md @@ -2,8 +2,6 @@ description: A full-sized view of the Microsoft Edge infographic. title: Full-sized view of the Microsoft Edge infographic ms.date: 11/10/2016 -ms.author: pashort -author: shortpatti --- Return to: [Browser: Microsoft Edge and Internet Explorer 11](enterprise-guidance-using-microsoft-edge-and-ie11.md)
diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md index bd15a448b8..fef471693a 100644 --- a/browsers/edge/includes/allow-address-bar-suggestions-include.md +++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -10,7 +18,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. Hide the Address bar drop-down list and disable the _Show search and site suggestions as I type_ toggle in Settings. |![Most restricted value](../images/check-gn.png) | |Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | | --- @@ -23,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) +- **MDM name:** Browser/[AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowaddressbardropdown) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAddressBarDropdown - **Data type:** Integer diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index 669cdf2257..c3965dd477 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled |0 |0 |Prevented/not allowed | +|Disabled |0 |0 |Prevented | |Enabled **(default)** |1 |1 |Allowed | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) +- **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash - **Data type:** Integer diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md index 96e804b8cd..a3bd064c75 100644 --- a/browsers/edge/includes/allow-clearing-browsing-data-include.md +++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented/not allowed)* +>*Default setting: Disabled or not configured (Prevented)* [!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)] @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured **(default)** |0 |0 |Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. | | +|Disabled or not configured **(default)** |0 |0 |Prevented. Users can configure the _Clear browsing data_ option in Settings. | | |Enabled |1 |1 |Allowed. Clear the browsing data upon exit automatically. |![Most restricted value](../images/check-gn.png) | --- @@ -23,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) +- **MDM name:** Browser/[ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-clearbrowsingdataonexit) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ClearBrowsingDataOnExit - **Data type:** Integer diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md index ee403d0ebc..21454f87b9 100644 --- a/browsers/edge/includes/allow-config-updates-books-include.md +++ b/browsers/edge/includes/allow-config-updates-books-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) +- **MDM name:** Browser/[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary - **Data type:** Integer @@ -33,6 +41,6 @@ ### Related topics -[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services) -

+[!INCLUDE [man-connections-win-comp-services-shortdesc-include](man-connections-win-comp-services-shortdesc-include.md)] +

diff --git a/browsers/edge/includes/allow-cortana-include.md b/browsers/edge/includes/allow-cortana-include.md index a175001e68..867850d83f 100644 --- a/browsers/edge/includes/allow-cortana-include.md +++ b/browsers/edge/includes/allow-cortana-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. Users can still search to find items on their device. |![Most restricted value](../images/check-gn.png) | |Enabled
**(default)** |1 |1 |Allowed. | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) +- **MDM name:** Experience/[AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) - **Supported devices:** Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowCortana - **Data type:** Integer diff --git a/browsers/edge/includes/allow-dev-tools-include.md b/browsers/edge/includes/allow-dev-tools-include.md index 919b4a9968..b335926754 100644 --- a/browsers/edge/includes/allow-dev-tools-include.md +++ b/browsers/edge/includes/allow-dev-tools-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Enabled (Allowed)* @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Allowed | | --- @@ -23,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) +- **MDM name:** Browser/[AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) - **Supported devices:** Desktop - **URI full Path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDeveloperTools - **Data type:** Integer diff --git a/browsers/edge/includes/allow-enable-book-library-include.md b/browsers/edge/includes/allow-enable-book-library-include.md index 1018a1cdd6..ec76df7f79 100644 --- a/browsers/edge/includes/allow-enable-book-library-include.md +++ b/browsers/edge/includes/allow-enable-book-library-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured* @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **MDM name:** Browser/[Browser/AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary - **Data type:** Integer diff --git a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md index 68b5ecc3da..f078711142 100644 --- a/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md +++ b/browsers/edge/includes/allow-ext-telemetry-books-tab-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Disabled or not configured (Gather and send only basic diagnostic data)* @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) +- **MDM name:** [Browser/EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry - **Data type:** Integer diff --git a/browsers/edge/includes/allow-extensions-include.md b/browsers/edge/includes/allow-extensions-include.md index d779ecdd05..bb9b65ea2c 100644 --- a/browsers/edge/includes/allow-extensions-include.md +++ b/browsers/edge/includes/allow-extensions-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled |0 |0 |Prevented/not allowed | +|Disabled |0 |0 |Prevented | |Enabled or not configured
**(default)** |1 |1 |Allowed | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) +- **MDM name:** Browser/[AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowExtensions - **Data type:** Integer @@ -33,7 +41,6 @@ ### Related topics -[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]
\ No newline at end of file diff --git a/browsers/edge/includes/allow-full-screen-include.md b/browsers/edge/includes/allow-full-screen-include.md index 82d4ac9996..6cbfe544bd 100644 --- a/browsers/edge/includes/allow-full-screen-include.md +++ b/browsers/edge/includes/allow-full-screen-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* @@ -10,7 +18,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled
**(default)** |1 |1 |Allowed | | --- @@ -23,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) +- **MDM name:** Browser/[AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFullscreen - **Data type:** Integer diff --git a/browsers/edge/includes/allow-inprivate-browsing-include.md b/browsers/edge/includes/allow-inprivate-browsing-include.md index aed98d6009..77339e72ef 100644 --- a/browsers/edge/includes/allow-inprivate-browsing-include.md +++ b/browsers/edge/includes/allow-inprivate-browsing-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -10,7 +18,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -23,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) +- **MDM name:** Browser/[AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowInPrivate - **Data type:** Integer diff --git a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md index 7feffa1941..bbc6aad2d2 100644 --- a/browsers/edge/includes/allow-microsoft-compatibility-list-include.md +++ b/browsers/edge/includes/allow-microsoft-compatibility-list-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) +- **MDM name:** Browser/[AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowMicrosoftCompatibilityList - **Data type:** Integer diff --git a/browsers/edge/includes/allow-prelaunch-include.md b/browsers/edge/includes/allow-prelaunch-include.md index fc39431ec2..7f1d10363c 100644 --- a/browsers/edge/includes/allow-prelaunch-include.md +++ b/browsers/edge/includes/allow-prelaunch-include.md @@ -1,7 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-prelaunch-shortdesc](../shortdesc/allow-prelaunch-shortdesc.md)] @@ -10,12 +17,9 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restrictive value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- -### Configuration options - -For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). ### ADMX info and settings @@ -27,7 +31,7 @@ For more details about configuring the prelaunch and preload options, see [Prela - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) +- **MDM name:** Browser/[AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrelaunch - **Data type:** Integer diff --git a/browsers/edge/includes/allow-printing-include.md b/browsers/edge/includes/allow-printing-include.md index 196a72daea..c489b9ebdd 100644 --- a/browsers/edge/includes/allow-printing-include.md +++ b/browsers/edge/includes/allow-printing-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-printing-shortdesc](../shortdesc/allow-printing-shortdesc.md)] @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restrictive value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restrictive value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) +- **MDM name:** Browser/[AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPrinting - **Data type:** Integer diff --git a/browsers/edge/includes/allow-saving-history-include.md b/browsers/edge/includes/allow-saving-history-include.md index db571b2059..cc495aac9e 100644 --- a/browsers/edge/includes/allow-saving-history-include.md +++ b/browsers/edge/includes/allow-saving-history-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-saving-history-shortdesc](../shortdesc/allow-saving-history-shortdesc.md)] @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- @@ -22,7 +30,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) +- **MDM name:** Browser/[AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSavingHistory - **Data type:** Integer diff --git a/browsers/edge/includes/allow-search-engine-customization-include.md b/browsers/edge/includes/allow-search-engine-customization-include.md index 0ee8c5866e..cc3137fa52 100644 --- a/browsers/edge/includes/allow-search-engine-customization-include.md +++ b/browsers/edge/includes/allow-search-engine-customization-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Allowed)* @@ -8,14 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented |![Most restricted value](../images/check-gn.png) | |Enabled or not configured
**(default)** |1 |1 |Allowed | | --- -### Configuration options - -For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). - ### ADMX info and settings ##### ADMX info @@ -25,7 +29,7 @@ For more details about configuring the search engine, see [Search engine customi - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) +- **MDM name:** Browser/[AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchEngineCustomization - **Data type:** Integer diff --git a/browsers/edge/includes/allow-shared-folder-books-include.md b/browsers/edge/includes/allow-shared-folder-books-include.md index ca16e49ee0..d4b813968c 100644 --- a/browsers/edge/includes/allow-shared-folder-books-include.md +++ b/browsers/edge/includes/allow-shared-folder-books-include.md @@ -1,14 +1,24 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1803*
>*Default setting: Disabled or not configured (Not allowed)* [!INCLUDE [allow-a-shared-books-folder-shortdesc](../shortdesc/allow-a-shared-books-folder-shortdesc.md)] + + ### Supported values |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.| | +|Disabled or not configured
**(default)** |0 |0 |Prevented. Microsoft Edge downloads book files to a per-user folder for each user. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

Also, the users must be signed in with a school or work account.| | --- ![Allow a shared books folder](../images/allow-shared-books-folder_sm.png) @@ -22,7 +32,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) +- **MDM name:** Browser/[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks - **Data type:** Integer diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md index b6ebf001c6..b0575c853b 100644 --- a/browsers/edge/includes/allow-sideloading-extensions-include.md +++ b/browsers/edge/includes/allow-sideloading-extensions-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled (Allowed)* [!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)] @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured |0 |0 |Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:

**Computer Configuration\\Administrative Templates\\Windows Components\\App Package Deployment\\**

For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). |![Most restricted value](../images/check-gn.png) | |Enabled
**(default)** |1 |1 |Allowed. | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) +- **MDM name:** Browser/[AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSideloadingExtensions - **Data type:** Integer @@ -33,12 +41,12 @@ ### Related policies -- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. +- [Allows development of Windows Store apps and installing them from an integrated development environment (IDE)](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowdeveloperunlock): When you enable this policy and the **Allow all trusted apps to install** policy, you allow users to develop Windows Store apps and install them directly from an IDE. -- [Allow all trusted apps to install](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. +- [Allow all trusted apps to install](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowalltrustedapps): When you enable this policy, you can manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps. ### Related topics -[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. +[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Access development features, along with other developer-focused settings to make it possible for you to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode.

\ No newline at end of file diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md index b09c405754..c62d262521 100644 --- a/browsers/edge/includes/allow-tab-preloading-include.md +++ b/browsers/edge/includes/allow-tab-preloading-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1802*
+>*Supported versions: Microsoft Edge on Windows 10, version 1802*
>*Default setting: Enabled or not configured (Allowed)* [!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)] @@ -8,15 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled |0 |0 |Prevented/not allowed. |![Most restricted value](../images/check-gn.png) | -|Enabled or not configured
**(default)** |1 |1 |Allowed. Preload Start and New tab pages. | | +|Disabled |0 |0 |Prevented. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Allowed. Preload Start and New Tab pages. | | --- - -### Configuration options - -For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md). - ### ADMX info and settings #### ADMX info @@ -26,7 +29,7 @@ For more details about configuring the prelaunch and preload options, see [Prela - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) +- **MDM name:** Browser/[AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowTabPreloading - **Data type:** Integer diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md index 7c6889225d..cdd5bb2adc 100644 --- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md +++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 11/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Default New tab page loads)* +>*Default setting: Enabled (the default New Tab page loads)* [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] @@ -10,9 +18,8 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Not configured |Blank |Blank |Users can choose what loads on the New tab page. | -|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevent users from changing it. | -|Enabled **(default)** |1 |1 |Load the default New tab page. | +|Disabled |0 |0 |Load a blank page instead of the default New Tab page and prevent users from making changes. | +|Enabled or not configured **(default)** |1 |1 |Load the default New Tab page and the users make changes. | --- ### ADMX info and settings @@ -24,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) +- **MDM name:** Browser/[AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowWebContentOnNewTabPage - **Data type:** Integer @@ -34,4 +41,7 @@ - **Value name:** AllowWebContentOnNewTabPage - **Value type:** REG_DWORD +### Related policies +[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] +
\ No newline at end of file diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md index 62804e3f93..16ee156803 100644 --- a/browsers/edge/includes/always-enable-book-library-include.md +++ b/browsers/edge/includes/always-enable-book-library-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured* @@ -22,7 +30,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) +- **MDM name:** Browser/[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AlwaysEnableBooksLibrary - **Data type:** Integer diff --git a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md deleted file mode 100644 index 4a64abb65c..0000000000 --- a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md +++ /dev/null @@ -1 +0,0 @@ -[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md index f77a076f2a..cd5341cd46 100644 --- a/browsers/edge/includes/configure-additional-search-engines-include.md +++ b/browsers/edge/includes/configure-additional-search-engines-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented/not allowed)* +>*Default setting: Disabled or not configured (Prevented)* [!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)] @@ -8,15 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.

If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured
**(default)** |0 |0 |Prevented. Use the search engine specified in App settings.

If you enabled this policy and now want to disable it, all previously configured search engines get removed. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.

For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | | --- - -### Configuration options - -For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Configure additional search engines @@ -26,7 +29,7 @@ For more details about configuring the search engine, see [Search engine customi - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) +- **MDM name:** Browser/[ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureAdditionalSearchEngines - **Data type:** Integer @@ -45,8 +48,8 @@ For more details about configuring the search engine, see [Search engine customi ### Related topics -- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] -- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. +- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites.

\ No newline at end of file diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md index d7b0fa6adb..3011317313 100644 --- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md +++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Does not load content automatically)* [!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)] @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled |0 |0 |Load and run Adobe Flash content automatically. | | -|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content automatically. Requires action from the user. |![Most restricted value](../images/check-gn.png) | +|Enabled or not configured
**(default)** |1 |1 |Do not load or run Adobe Flash content and require action from the user. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) +- **MDM name:** Browser/[AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlashClickToRun - **Data type:** Integer diff --git a/browsers/edge/includes/configure-allow-flash-url-list-include.md b/browsers/edge/includes/configure-allow-flash-url-list-include.md deleted file mode 100644 index 919215341c..0000000000 --- a/browsers/edge/includes/configure-allow-flash-url-list-include.md +++ /dev/null @@ -1,36 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting:* - -[!INCLUDE [configure-allow-flash-for-url-list-shortdesc](../shortdesc/configure-allow-flash-for-url-list-shortdesc.md)] - -### Supported values - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -![Most restricted value](../images/check-gn.png) - -### ADMX info and settings -#### ADMX info -- **GP English name:** -- **GP name:** -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[]() -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ -- **Value name:** -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md index 3464943193..bd717cc583 100644 --- a/browsers/edge/includes/configure-autofill-include.md +++ b/browsers/edge/includes/configure-autofill-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Blank)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured
**(default)** | Blank |Blank |Users can choose to use AutoFill. | | +|Not configured
**(default)** | Blank |Blank |Users can choose to use Autofill. | | |Disabled | 0 | no | Prevented. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |yes | Allowed. | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) +- **MDM name:** Browser/[AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowautofill) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAutofill - **Data type:** Integer diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md index 3a0386c574..f4c4360129 100644 --- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md +++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md @@ -1,12 +1,26 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (No data collected or sent)* [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] >[!IMPORTANT] ->For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID. +>For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID. +> +>You can find these policies in the following location of the Group Policy Editor: +> +>**Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\** +> + ### Supported values @@ -19,12 +33,6 @@ |Enabled |3 |3 |Send both intranet and Internet history | | --- ->>You can find this policy and the related policies in the following location of the Group Policy Editor: ->> ->>**_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_** ->> - - ### ADMX info and settings #### ADMX info @@ -36,7 +44,7 @@ #### MDM settings -- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) +- **MDM name:** Browser/[ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureTelemetryForMicrosoft365Analytics - **Data type:** Integer diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md index f89816f8d8..5ef992f09e 100644 --- a/browsers/edge/includes/configure-cookies-include.md +++ b/browsers/edge/includes/configure-cookies-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allow all cookies from all sites)* @@ -8,9 +16,9 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Enabled |0 |0 |Block all cookies from all sites |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Block only coddies from third party websites | | -|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites | | +|Enabled |0 |0 |Block all cookies from all sites. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Block only coddies from third party websites. | | +|Disabled or not configured
**(default)** |2 |2 |Allow all cookies from all sites. | | --- ### ADMX info and settings @@ -22,7 +30,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) +- **MDM name:** Browser/[AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowcookies) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowCookies - **Data type:** Integer diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md index 74478b6881..4e77fdadf8 100644 --- a/browsers/edge/includes/configure-do-not-track-include.md +++ b/browsers/edge/includes/configure-do-not-track-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Do not send tracking information)* @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) +- **MDM name:** Browser/[AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowDoNotTrack - **Data type:** Integer diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md index a1dfe3e91c..2fa8b095e5 100644 --- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md +++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md @@ -1,11 +1,19 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: 5 minutes* [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] -You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +You must set the Configure kiosk mode policy to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). ### Supported values @@ -22,7 +30,7 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) +- **MDM name:** Browser/[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout - **Data type:** Integer @@ -36,11 +44,11 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br ### Related policies -[Configure kiosk mode](../new-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] +[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] ### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience.
\ No newline at end of file diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md index 6b347ce989..aeb849adf4 100644 --- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md +++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md @@ -1,3 +1,5 @@ + + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured* @@ -10,7 +12,7 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Disabled or not configured
**(default)** |0 |0 |Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. | -|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | +|Enabled |1 |1 |Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 seconds, but uses the existing file. To add the location to your site list, enter it in the **{URI}** box.

For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). | --- ### ADMX info and settings @@ -23,7 +25,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) +- **MDM name:** Browser/[EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/EnterpriseModeSiteList - **Data type:** String @@ -40,15 +42,15 @@ ### Related topics -- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. +- [Use Enterprise Mode to improve compatibility](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility). If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. -- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. -- [Enterprise Mode for Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. +- [Enterprise Mode for Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. -- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). +- [Enterprise Mode and the Enterprise Mode Site List](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode). Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool targeted explicitly towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). -- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using Enterprise Mode Site List Manager (schema v.2), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your users can easily view this site list by typing about:compat in either Microsoft Edge or IE11. +- [Enterprise Mode and the Enterprise Mode Site List XML file](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode#enterprise-mode-and-the-enterprise-mode-site-list-xml-file). The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. When you use the Enterprise Mode Site List Manager schema v.2, you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also launch in a specific compat mode, so it always renders correctly. Your users can quickly view this site list by typing about:compat in either Microsoft Edge or IE11. diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md index f4f537218f..a5350ca9aa 100644 --- a/browsers/edge/includes/configure-favorites-bar-include.md +++ b/browsers/edge/includes/configure-favorites-bar-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, new major release* ->*Default setting: Not configured (Hidden)* +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)* [!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)] @@ -11,9 +19,10 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Not configured **(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. | -|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | -|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. | +|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.

Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. | +|Disabled |0 |0 |Hidden on all pages.

| +|Enabled |1 |1 |Shown on all pages. | + --- ### ADMX info and settings @@ -24,7 +33,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) +- **MDM name:** Browser/[ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureFavoritesBar - **Data type:** Integer diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md index 4b4862fef7..5287150eea 100644 --- a/browsers/edge/includes/configure-favorites-include.md +++ b/browsers/edge/includes/configure-favorites-include.md @@ -1,4 +1,12 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy in place of Configure Favorites. +>Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead.
\ No newline at end of file diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md index d9cf247781..eaaa4f7af4 100644 --- a/browsers/edge/includes/configure-home-button-include.md +++ b/browsers/edge/includes/configure-home-button-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/28/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Show home button and load the Start page)* @@ -10,15 +18,12 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Show home button and load the Start page. | -|Enabled |1 |1 |Show home button and load the New tab page. | -|Enabled |2 |2 |Show home button and load the custom URL defined in the Set Home Button URL policy. | -|Enabled |3 |3 |Hide home button. | +|Disabled or not configured
**(default)** |0 |0 |Load the Start page. | +|Enabled |1 |1 |Load the New Tab page. | +|Enabled |2 |2 |Load the custom URL defined in the Set Home Button URL policy. | +|Enabled |3 |3 |Hide the home button. | --- -### Configuration options - -For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). >[!TIP] >If you want to make changes to this policy:
  1. Enable the **Unlock Home Button** policy.
  2. Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
  3. Disable the **Unlock Home Button** policy.
@@ -33,7 +38,7 @@ For more details about configuring the different Home button options, see [Home - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) +- **MDM name:** Browser/[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton - **Data type:** Integer @@ -45,9 +50,9 @@ For more details about configuring the different Home button options, see [Home ### Related policies -- [Set Home Button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] -- [Unlock Home Button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] -
\ No newline at end of file +
diff --git a/browsers/edge/includes/configure-inprivate-include.md b/browsers/edge/includes/configure-inprivate-include.md deleted file mode 100644 index c29a818b47..0000000000 --- a/browsers/edge/includes/configure-inprivate-include.md +++ /dev/null @@ -1,32 +0,0 @@ -## Configure InPrivate - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured - - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** -- **GP name:** -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[]() -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ -- **Value name:** -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md new file mode 100644 index 0000000000..98e3d163d0 --- /dev/null +++ b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md @@ -0,0 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/27/2018 +ms.prod: edge +ms:topic: include +--- + +| | | +|---|---| +| **Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

**Public browsing**

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an **End session** button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

_**Example.**_ A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

**Policy setting** = Enabled (1) | +| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

**Public browsing**

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

_**Example.**_ A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

**Policy setting** = Enabled (1) | +--- \ No newline at end of file diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md index 54880f184f..197b2c1f1a 100644 --- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md +++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/27/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Not configured* [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)] @@ -9,13 +17,8 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o ### Supported values -| | | -|---|---| -|(0) Default or not configured |

| -|(1) Enabled | | ---- +[!INCLUDE [configure-kiosk-mode-supported-values-include](configure-kiosk-mode-supported-values-include.md)] -![Microsoft Edge kiosk experience](../images/microsoft-edge-kiosk-mode.png) ### ADMX info and settings #### ADMX info @@ -26,7 +29,7 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) +- **MDM name:** Browser/[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode - **Data type:** Integer @@ -37,10 +40,10 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o - **Value type:** REG_SZ ### Related policies -[Configure kiosk reset after idle timeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] +[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] ### Related topics -[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to setup your Microsoft Edge kiosk mode experience. +[Deploy Microsoft Edge kiosk mode](../microsoft-edge-kiosk-mode-deploy.md): Microsoft Edge kiosk mode works with assigned access to allow IT administrators, to create a tailored browsing experience designed for kiosk devices. In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn about the other group policies to help you enhance the how to set up your Microsoft Edge kiosk mode experience.
\ No newline at end of file diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md index 70ba21e6ab..35c21d3076 100644 --- a/browsers/edge/includes/configure-open-edge-with-include.md +++ b/browsers/edge/includes/configure-open-edge-with-include.md @@ -1,29 +1,33 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled (A specific page or pages)* [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] **Version 1703 or later:**
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL. -**Version 1810:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

+**version 1809:**
When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.

### Supported values |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. | -|Enabled |0 |0 |Loads the Start page. | -|Enabled |1 |1 |Load the New tab page. | +|Enabled |0 |0 |Load the Start page. | +|Enabled |1 |1 |Load the New Tab page. | |Enabled |2 |2 |Load the previous pages. | |Enabled
**(default)** |3 |3 |Load a specific page or pages. | --- -### Configuration options - -For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). - >[!TIP] >If you want to make changes to this policy:

  1. Set the **Disabled Lockdown of Start Pages** policy to not configured.
  2. Make changes to the **Configure Open Microsoft With** policy.
  3. Enable the **Disabled Lockdown of Start Pages** policy.
@@ -38,7 +42,7 @@ For more details about configuring the Start pages, see [Start pages configurati - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) +- **MDM name:** Browser/[ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureOpenEdgeWith - **Data type:** Integer diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md index eb1e236003..463baf4185 100644 --- a/browsers/edge/includes/configure-password-manager-include.md +++ b/browsers/edge/includes/configure-password-manager-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Allowed/users can change the setting)* @@ -25,7 +33,7 @@ Verify not allowed/disabled settings: - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) +- **MDM name:** Browser/[AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPasswordManager - **Data type:** Integer diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md index cb5d637204..dffcc2ed7e 100644 --- a/browsers/edge/includes/configure-pop-up-blocker-include.md +++ b/browsers/edge/includes/configure-pop-up-blocker-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled (Turned off)* @@ -9,8 +17,8 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | | -|Disabled
**(default)** |0 |0 |Turn off Pop-up Blocker letting pop-up windows open. | | -|Enabled |1 |1 |Turn on Pop-up Blocker stopping pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | +|Disabled
**(default)** |0 |0 |Turned off. Allow pop-up windows to open. | | +|Enabled |1 |1 |Turned on. Prevent pop-up windows from opening. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) +- **MDM name:** Browser/[AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowPopups - **Data type:** Integer diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md index fbe5457aa0..4985091db3 100644 --- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md +++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Blank)* @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Not configured
**(default)** |Blank |Blank |Users can choose to see search suggestions. | | -|Disabled |0 |0 |Prevented/not allowed. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | +|Disabled |0 |0 |Prevented. Hide the search suggestions. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Allowed. Show the search suggestions. | | --- @@ -21,7 +29,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) +- **MDM name:** Browser/[AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchsuggestionsinaddressbar) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSearchSuggestionsinAddressBar - **Data type:** Integer diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md index 4a5c023576..7c469da556 100644 --- a/browsers/edge/includes/configure-start-pages-include.md +++ b/browsers/edge/includes/configure-start-pages-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Blank or not configured (Load pages specified in App settings)* @@ -9,13 +17,9 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| |Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. | -|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1810:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | +|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:

    \\

**Version 1703 or later:**
If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.

**Version 1809:**
When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. | --- -### Configuration options - -For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Configure Start pages @@ -25,7 +29,7 @@ For more details about configuring the Start pages, see [Start pages configurati - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) +- **MDM name:** Browser/[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages - **Data type:** String @@ -40,7 +44,7 @@ For more details about configuring the Start pages, see [Start pages configurati - [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)] -- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md index b9545d480d..5e460d6a00 100644 --- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md +++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Turned on)* @@ -26,7 +34,7 @@ To verify Windows Defender SmartScreen is turned off (disabled): - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) +- **MDM name:** Browser/[AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen - **Data type:** Integer diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md index 06a0642481..94af3ec1e5 100644 --- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md +++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Start pages are not editable)* @@ -8,14 +16,10 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured |0 |0 |Lock down Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. |![Most restricted value](../images/check-gn.png) | +|Not configured |0 |0 |Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. |![Most restricted value](../images/check-gn.png) | |Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.

When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | | --- -### Configuration options - -For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md). - ### ADMX info and settings #### ADMX info @@ -25,7 +29,7 @@ For more details about configuring the Start pages, see [Start pages configurati - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) +- **MDM name:** Browser/[DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/DisableLockdownOfStartPages - **Data type:** Integer @@ -42,10 +46,10 @@ For more details about configuring the Start pages, see [Start pages configurati ### Related Policies - [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)] -- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] +- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] ### Related topics -[!INCLUDE [browser-extension-policy-shortdesc-include](browser-extension-policy-shortdesc-include.md)] +[!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)]

\ No newline at end of file diff --git a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md deleted file mode 100644 index 3d4feeb168..0000000000 --- a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md +++ /dev/null @@ -1,31 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured* - - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -### ADMX info and settings -#### ADMX info -- **GP English name:** -- **GP name:** -- **GP path:** Windows Components/Microsoft Edge -- **GP ADMX file name:** MicrosoftEdge.admx - -#### MDM settings -- **MDM name:** Browser/[]() -- **Supported devices:** Desktop and Mobile -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ -- **Data type:** Integer - -#### Registry settings -- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\ -- **Value name:** -- **Value type:** REG_DWORD - -
\ No newline at end of file diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md index 2424c7de85..143622193e 100644 --- a/browsers/edge/includes/do-not-sync-browser-settings-include.md +++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allowed/turned on)* @@ -12,10 +20,6 @@ |Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. | --- -### Configuration options - -For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). - ### ADMX info and settings #### ADMX info @@ -25,7 +29,7 @@ For more details about configuring the browser syncing options, see [Sync browse - **GP ADMX file name:** SettingSync.admx #### MDM settings -- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) +- **MDM name:** [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/DoNotSyncBrowserSettings - **Data type:** Integer @@ -37,7 +41,7 @@ For more details about configuring the browser syncing options, see [Sync browse ### Related policies -[Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] +[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md index 8a8b4770f2..4434b8e64c 100644 --- a/browsers/edge/includes/do-not-sync-include.md +++ b/browsers/edge/includes/do-not-sync-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allowed/turned on)* @@ -20,7 +28,7 @@ - **GP ADMX file name:** SettingSync.admx #### MDM settings -- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) +- **MDM name:** Experience/[AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings - **Data type:** Integer @@ -31,7 +39,7 @@ - **Value type:** REG_DWORD ### Related topics -[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are sync'ed. +[About sync setting on Microsoft Edge on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices): Learn about what settings are synced.
\ No newline at end of file diff --git a/browsers/edge/includes/edge-respects-applocker-lists-include.md b/browsers/edge/includes/edge-respects-applocker-lists-include.md deleted file mode 100644 index 60b8d8f5e0..0000000000 --- a/browsers/edge/includes/edge-respects-applocker-lists-include.md +++ /dev/null @@ -1,22 +0,0 @@ - ->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured - - -|Group Policy |MDM |Registry |Description |Most restricted | -|---|:---:|:---:|---|:---:| -| | | | | | -| | | | | | -| | | | | | ---- - -### ADMX info and settings -| | | -|---|---| -|ADMX info | | -|MDM settings | | -|Registry | | ---- - - ---- \ No newline at end of file diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md index f724a38af6..7d722faf12 100644 --- a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md +++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md @@ -1 +1,9 @@ -[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +[Enable your device for development](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode. \ No newline at end of file diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md index ed4e9b1019..d3d116dc84 100644 --- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md +++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
>*Default setting: Disabled or not configured* @@ -5,3 +13,7 @@ By default, all sites open the currently active browser. With this policy, you c >[!NOTE] >If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11. + +You can find the group policy settings in the following location of the Group Policy Editor: + +      **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\** diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md index b1dda60948..c7fc49bc93 100644 --- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md +++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Turned off/not syncing)* @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) +- **MDM name:** Browser/[SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge - **Data type:** Integer diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md index c0590648fa..f7d692d864 100644 --- a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md +++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md @@ -1 +1,9 @@ -[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment. diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md index 2ec1c055f5..1f55180874 100644 --- a/browsers/edge/includes/prevent-access-about-flag-include.md +++ b/browsers/edge/includes/prevent-access-about-flag-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Disabled or not configured (Allowed)* @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed. | | -|Enabled |1 |1 |Prevents users from accessing the about:flags page. |![Most restricted value](../images/check-gn.png) | +|Disabled or not configured
**(default)** |0 |0 |Allowed | | +|Enabled |1 |1 |Prevented |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) +- **MDM name:** Browser/[PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventAccessToAboutFlagsInMicrosoftEdge - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md index e547317eb3..7638ce642a 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/turned off)* @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) +- **MDM name:** Browser/[PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md index e57bb9f213..438290f181 100644 --- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md +++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/turned off)* @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) +- **MDM name:** Browser/[PreventSmartscreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md index 052ef6499e..404d0688e3 100644 --- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md +++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Allowed/turned off)* [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)] @@ -19,7 +27,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) +- **MDM name:** Browser/[PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventCertErrorOverrides - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md index 4bbb97f4b0..75a386025f 100644 --- a/browsers/edge/includes/prevent-changes-to-favorites-include.md +++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured (Allowed/not locked down)* @@ -8,7 +16,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Disabled or not configured
**(default)** |0 |0 |Allowed/not locked down. Users can add, import, and make changes to the Favorites list. | | +|Disabled or not configured
**(default)** |0 |0 |Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | | |Enabled |1 |1 |Prevented/locked down. |![Most restricted value](../images/check-gn.png) | --- @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) +- **MDM name:** Browser/[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/LockdownFavorites - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md index 21acfb5de4..ec2966bba7 100644 --- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md +++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Allowed)* @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) +- **MDM name:** Browser/[PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventFirstRunPage - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md index cfc5af6f08..e595e3fe28 100644 --- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md +++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Collect and send)* @@ -9,7 +17,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |Collect and send Live Tile metadata. | | -|Enabled |1 |1 |No data collected. |![Most restricted value](../images/check-gn.png) | +|Enabled |1 |1 |Do not collect data. |![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) +- **MDM name:** Browser/[PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventLiveTileDataCollection - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md index 4b5e20e3cb..39187a492b 100644 --- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md +++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)* @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) +- **MDM name:** Browser/[PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventUsingLocalHostIPAddressForWebRTC - **Data type:** Integer diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md index 67f9bab3e2..4f168cc2ab 100644 --- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md +++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md @@ -1,6 +1,14 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Allowed)* [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] @@ -10,9 +18,11 @@ |Group Policy |Description | |---|---| |Disabled or not configured
**(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. | -|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../available-policies.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | +|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:

_Microsoft.OneNoteWebClipper8wekyb3d8bbwe;Microsoft.OfficeOnline8wekyb3d8bbwe_

After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.

Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. | --- + + ### ADMX info and settings #### ADMX info - **GP English name:** Prevent turning off required extensions @@ -21,7 +31,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) +- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions - **Data type:** String @@ -37,10 +47,10 @@ ### Related topics -- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. -- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/en-us/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. -- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-deploy): Apps can be assigned to devices whether or not they are managed by Intune. -- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. -- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. These types of apps are typically written in-house. +- [Find a package family name (PFN) for per-app VPN](https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn): There are two ways to find a PFN so that you can configure a per-app VPN. +- [How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/windows-store-for-business): The Microsoft Store for Business gives you a place to find and purchase apps for your organization, individually, or in volume. By connecting the store to Microsoft Intune, you can manage volume-purchased apps from the Azure portal. +- [How to assign apps to groups with Microsoft Intune](https://docs.microsoft.com/intune/apps-deploy): Apps can be assigned to devices whether or not Intune manages them. +- [Manage apps from the Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business): Configuration Manager supports managing Microsoft Store for Business apps on both Windows 10 devices with the Configuration Manager client, and also Windows 10 devices enrolled with Microsoft Intune. +- [How to add Windows line-of-business (LOB) apps to Microsoft Intune](https://docs.microsoft.com/intune/lob-apps-windows): A line-of-business (LOB) app is one that you add from an app installation file. Typically, these types of apps are written in-house.

\ No newline at end of file diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md index 215ccfad37..5548ae3f74 100644 --- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md +++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md @@ -1,5 +1,13 @@ - ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + + +>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Prevented/turned off)* [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] @@ -11,10 +19,6 @@ |Enabled or not configured
**(default)** |1 |1 |Prevented/turned off. | --- -### Configuration options - -For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md). - ### ADMX info and settings #### ADMX info @@ -24,7 +28,7 @@ For more details about configuring the browser syncing options, see [Sync browse - **GP ADMX file name:** SettingSync.admx #### MDM settings -- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) +- **MDM name:** Experience/[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Experience/PreventUsersFromTurningOnBrowserSyncing - **Data type:** String diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md index f0398c27c6..a67f33444b 100644 --- a/browsers/edge/includes/provision-favorites-include.md +++ b/browsers/edge/includes/provision-favorites-include.md @@ -1,9 +1,18 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Customizable)* [!INCLUDE [provision-favorites-shortdesc](../shortdesc/provision-favorites-shortdesc.md)] + >[!IMPORTANT] >Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. @@ -12,7 +21,7 @@ |Group Policy |Description |Most restricted | |---|---|:---:| |Disabled or not configured
**(default)** |Users can customize the favorites list, such as adding folders, or adding and removing favorites. | | -|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file**, and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=http://localhost:8080/URLs.html
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|![Most restricted value](../images/check-gn.png) | +|Enabled |Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.

To define a default list of favorites, do the following:

  1. In the upper-right corner of Microsoft Edge, click the ellipses (**...**) and select **Settings**.
  2. Click **Import from another browser**, click **Export to file** and save the file.
  3. In the **Options** section of the Group Policy Editor, provide the location that points the file with the list of favorites to provision. Specify the URL as:
    • HTTP location: "SiteList"=https://localhost:8080/URLs.html
    • Local network: "SiteList"="\network\shares\URLs.html"
    • Local file: "SiteList"=file:///c:/Users/Documents/URLs.html
|![Most restricted value](../images/check-gn.png) | --- ### ADMX info and settings @@ -24,7 +33,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) +- **MDM name:** Browser/[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ProvisionFavorites - **Data type:** String diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md index e550bc4e57..0189af0a67 100644 --- a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md +++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md @@ -1 +1,9 @@ -[Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +[Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md index 904c78270d..17ce737c8c 100644 --- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md +++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured* @@ -13,7 +21,7 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| |Disabled or not configured
**(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. |![Most restricted value](../images/check-gn.png) | -|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.

  2. Refresh the policy and then view the affected sites in Microsoft Edge.

    A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | +|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.

Enabling this policy opens all intranet sites in IE11 automatically, even if the users have Microsoft Edge as their default browser.

  1. In Group Policy Editor, navigate to:

    **Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**

  2. Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.

    A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.

| | --- @@ -25,7 +33,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) +- **MDM name:** Browser/[SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SendIntranetTraffictoInternetExplorer - **Data type:** Integer @@ -42,10 +50,10 @@ ### Related topics -- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. +- [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035). Many customers depend on legacy features only available in older versions of Internet Explorer and are familiar with our Enterprise Mode tools for IE11. The Enterprise Mode has been extended to support to Microsoft Edge by opening any site specified on the Enterprise Mode Site List in IE11. IT Pros can use their existing IE11 Enterprise Mode Site List, or they can create a new one specifically for Microsoft Edge. By keeping Microsoft Edge as the default browser in Windows 10 and only opening legacy line of business sites in IE11 when necessary, you can help keep newer development projects on track, using the latest web standards on Microsoft Edge. - [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377). Learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. -- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode. +- [Use the Enterprise Mode Site List Manager](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-site-list-manager). You can use IE11 and the Enterprise Mode Site List Manager to add individual website domains and domain paths and to specify whether the site renders using Enterprise Mode or the default mode.
\ No newline at end of file diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md index 4a65053d39..f7156818de 100644 --- a/browsers/edge/includes/set-default-search-engine-include.md +++ b/browsers/edge/includes/set-default-search-engine-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + >*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Not configured (Defined in App settings)* @@ -8,15 +16,12 @@ |Group Policy |MDM |Registry |Description |Most restricted | |---|:---:|:---:|---|:---:| -|Not configured
**(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../available-policies.md#allow-search-engine-customization) policy, users cannot make changes. | | -|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | | -|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.

If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | +|Not configured
**(default)** |Blank |Blank |Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | | +|Disabled |0 |0 |Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | | +|Enabled |1 |1 |Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.

Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

If you want your users to use the default Microsoft Edge settings for each market, then set the string to **EDGEDEFAULT**.

If you would like your users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. |![Most restricted value](../images/check-gn.png) | --- -### Configuration options - -For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md). ### ADMX info and settings #### ADMX info @@ -27,7 +32,7 @@ For more details about configuring the search engine, see [Search engine customi - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) +- **MDM name:** [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetDefaultSearchEngine - **Data type:** Integer @@ -45,8 +50,8 @@ For more details about configuring the search engine, see [Search engine customi ### Related topics -- [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. +- [!INCLUDE [microsoft-browser-extension-policy-shortdesc](../shortdesc/microsoft-browser-extension-policy-shortdesc.md)] -- [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Rich search integration is built into the Microsoft Edge address bar, including search suggestions, results from the web, your browsing history, and favorites. +- [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery): The Microsoft Edge address bar uses rich search integration, including search suggestions, results from the web, your browsing history, and favorites.

\ No newline at end of file diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md index 7e9b36ea77..5e091f18ac 100644 --- a/browsers/edge/includes/set-home-button-url-include.md +++ b/browsers/edge/includes/set-home-button-url-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Blank)* [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] @@ -8,16 +16,11 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. | -|Enabled - String |String |String |Load a custom URL for the home button. You must also enable the [Configure Home Button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.

Enter a URL in string format, for example, https://www.msn.com. | +|Disabled or not configured
**(default)** |Blank |Blank |Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. | +|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.

For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option. | --- -### Configuration options - -For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). - - ### ADMX info and settings #### ADMX info - **GP English name:** Set Home Button URL @@ -27,7 +30,7 @@ For more details about configuring the different Home button options, see [Home - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) +- **MDM name:** Browser/[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) - **Supported devices:** Desktop and Mobile - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL - **Data type:** String @@ -39,8 +42,8 @@ For more details about configuring the different Home button options, see [Home ### Related policies -- [Configure Home Button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] -- [Unlock Home Button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] +- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]

diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md index ffd31bd264..8b9ac1c728 100644 --- a/browsers/edge/includes/set-new-tab-url-include.md +++ b/browsers/edge/includes/set-new-tab-url-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Blank)* [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)] @@ -8,8 +16,8 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |Blank |Blank |Load the default New tab page. | -|Enabled - String |String |String |Prevent users from changing the New tab page.

Enter a URL in string format, for example, https://www.msn.com. | +|Disabled or not configured
**(default)** |Blank |Blank |Load the default New Tab page. | +|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.

Enabling this policy prevents users from making changes.

| --- ### ADMX info and settings @@ -20,7 +28,7 @@ - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) +- **MDM name:** Browser/[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL - **Data type:** String diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md index 75c8366ae9..c5e808c926 100644 --- a/browsers/edge/includes/show-message-opening-sites-ie-include.md +++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md @@ -1,11 +1,20 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
>*Default setting: Disabled or not configured (No additional message)* [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] + ### Supported values |Group Policy |MDM |Registry |Description |Most restricted | @@ -15,9 +24,6 @@ |Enabled |2 |2 |Show an additional message with a _Keep going in Microsoft Edge_ link to allow users to open the site in Microsoft Edge. | | --- -### Configuration options -For more details about configuring the search engine, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Show message when opening sites in Internet Explorer @@ -26,7 +32,7 @@ For more details about configuring the search engine, see [Interoperability and - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) +- **MDM name:** Browser/[ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ShowMessageWhenOpeningSitesInInternetExplorer - **Data type:** Integer diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md index e6cb4d2e9f..d2c2e44746 100644 --- a/browsers/edge/includes/unlock-home-button-include.md +++ b/browsers/edge/includes/unlock-home-button-include.md @@ -1,5 +1,13 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Home button is locked)* [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)] @@ -8,15 +16,10 @@ |Group Policy |MDM |Registry |Description | |---|:---:|:---:|---| -|Disabled or not configured
**(default)** |0 |0 |Lock down and prevent users from making changes to the home button settings. | -|Enabled |1 |1 |Let users make changes. | +|Disabled or not configured
**(default)** |0 |0 |Locked, preventing users from making changes. | +|Enabled |1 |1 |Unlocked, letting users make changes. | --- - -### Configuration options - -For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md). - ### ADMX info and settings #### ADMX info - **GP English name:** Unlock Home Button @@ -25,7 +28,7 @@ For more details about configuring the different Home button options, see [Home - **GP ADMX file name:** MicrosoftEdge.admx #### MDM settings -- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) +- **MDM name:** Browser/[UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) - **Supported devices:** Desktop - **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/UnlockHomeButton - **Data type:** Integer @@ -37,9 +40,9 @@ For more details about configuring the different Home button options, see [Home ### Related policies -- [Configure Home Button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] +- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)] -- [Set Home Button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)] +- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]

\ No newline at end of file diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml index f70b140995..9550d5d1d2 100644 --- a/browsers/edge/index.yml +++ b/browsers/edge/index.yml @@ -12,11 +12,11 @@ metadata: description: - text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. + text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. keywords: Microsoft Edge, Windows 10 - ms.localizationpriority: high + ms.localizationpriority: medium author: shortpatti @@ -50,17 +50,7 @@ sections: items: - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/about-microsoft-edge - - html:

Learn about the system requirements and language support for Microsoft Edge.

- - image: - - src: https://docs.microsoft.com/media/common/i_overview.svg - - title: System requirements and supported languages - - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies + - href: https://docs.microsoft.com/microsoft-edge/deploy/change-history-for-microsoft-edge html:

Learn more about the latest group policies and features added to Microsoft Edge.

@@ -70,6 +60,16 @@ sections: title: What's new + - href: https://docs.microsoft.com/microsoft-edge/deploy/about-microsoft-edge + + html:

Learn about the system requirements and language support for Microsoft Edge.

+ + image: + + src: https://docs.microsoft.com/media/common/i_overview.svg + + title: System requirements and supported languages + - href: https://www.microsoft.com/en-us/WindowsForBusiness/Compare html:

Learn about the supported features & functionality in each Windows edition.

@@ -80,7 +80,7 @@ sections: title: Compare Windows 10 Editions - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/security-privacy-management-gp html:

Learn how Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows.

@@ -90,7 +90,7 @@ sections: title: Security & protection - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp html:

Learch how you can use the Enterprise Mode site list for websites and apps that have compatibility problems in Microsoft Edge.

@@ -100,7 +100,7 @@ sections: title: Interoperability & enterprise guidance - - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/index + - href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index html:

Learn about the advanced VPN features you can add to improve the security and availability of your VPN connection.

@@ -122,11 +122,11 @@ sections: - title: Microsoft Edge resources - html:

Minimum system requirements

+ html:

Minimum system requirements

-

Supported languages

- -

Document change history

+

Supported languages

+ +

Document change history

Compare Windows 10 Editions

@@ -138,7 +138,7 @@ sections:

Measuring the impact of Microsoft Edge

- - title: Internet Explorer 11 resources + - title: IE11 resources html:

Deploy Internet Explorer 11 (IE11) - IT Pros

diff --git a/browsers/edge/managing-group-policy-admx-files.md b/browsers/edge/managing-group-policy-admx-files.md new file mode 100644 index 0000000000..2f76d6a665 --- /dev/null +++ b/browsers/edge/managing-group-policy-admx-files.md @@ -0,0 +1,24 @@ +--- +title: Managing group policy ADMX files +description: Learn how to centrally administer and incorporate ADMX files when editing the administrative template policy settings inside a local or domain-based Group Policy object. +ms.assetid: +author: shortpatti +ms.author: pashort +ms.prod: edge +ms.sitesec: library +ms.localizationpriority: medium +ms.date: 10/19/2018 +--- + +# Managing group policy ADMX files + +>Applies to: Microsoft Edge on Windows 10 + +ADMX files, which are registry-based policy settings provide an XML-based structure for defining the display of the Administrative Template policy settings in the Group Policy Object Editor. The ADMX files replace ADM files, which used a different markup language. + +>[!NOTE] +>The administrative tools you use—Group Policy Object Editor and Group Policy Management Console—remain mostly unchanged. In the majority of situations, you won’t notice the presence of ADMX files during your day-to-day Group Policy administration tasks. + +Unlike ADM files, ADMX files are not stored in individual GPOs by default; however, this behavior supports less common scenarios. For domain-based enterprises, you can create a central store location of ADMX files accessible by anyone with permission to create or edit GPOs. Group Policy tools continue to recognize other earlier ADM files you have in your existing environment. The Group Policy Object Editor automatically reads and displays Administrative Template policy settings from both the ADMX and ADM files. + +Some situations require a better understanding of how ADMX files are structured and the location of the files. In this article, we show you how ADMX files are incorporated when editing Administrative Template policy settings in a local or domain-based Group Policy object (GPO). diff --git a/browsers/edge/microsoft-browser-extension-policy-include.md b/browsers/edge/microsoft-browser-extension-policy-include.md deleted file mode 100644 index 03aabcbbff..0000000000 --- a/browsers/edge/microsoft-browser-extension-policy-include.md +++ /dev/null @@ -1 +0,0 @@ -[Microsoft browser extention policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy) \ No newline at end of file diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md index 59299f93a9..f989f0e5c8 100644 --- a/browsers/edge/microsoft-edge-faq.md +++ b/browsers/edge/microsoft-edge-faq.md @@ -1,51 +1,66 @@ --- -title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros (Microsoft Edge for IT Pros) -description: Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems. +title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros +description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems. author: shortpatti ms.author: pashort ms.prod: edge +ms.topic: reference ms.mktglfcycl: general ms.sitesec: library ms.localizationpriority: medium -ms.date: 09/19/2017 +ms.date: 11/05/2018 --- -# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros +# Frequently Asked Questions (FAQs) for IT Pros ->Applies to: Windows 10, Windows 10 Mobile +>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile + +**Q: Why is the Sync settings option under Settings \> Accounts \> Sync your settings permanently disabled? + +**A:** In the Windows 10 Anniversary Update, domain-joined users who connected their Microsoft Account (MSA) could roam settings and data between Windows devices. A group policy to prevent users from connecting their MSAs exists, but this setting also prevents users from easily accessing their personal Microsoft services. Enterprises can still enable Enterprise State Roaming with Azure Active Directory. + +>In a nutshell, any fresh install of Windows 10 Creators Update or higher does not support funtionality if it's under an Active Directory, but works for Azure Active Directory. + +**Q: What is the size of the local storage for Microsoft Edge overall and per domain?** + +**A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total. **Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?** -**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites. +**A:** Microsoft Edge is the default browser for all Windows 10 devices. It is built to be highly compatible with the modern web. For some enterprise web apps and a small set of sites on the web that were built to work with older technologies like ActiveX, [you can use Enterprise Mode](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) to automatically send users to Internet Explorer 11 for those sites. For more information on how Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge, see [Legacy apps in the enterprise](https://blogs.windows.com/msedgedev/2017/04/07/legacy-web-apps-enterprise/#RAbtRvJSYFaKu2BI.97). **Q: Does Microsoft Edge work with Enterprise Mode?** -**A:** [Enterprise Mode](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. For guidance and additional resources, please visit the [Microsoft Edge IT Center](https://technet.microsoft.com/en-us/microsoft-edge). +**A:** [Enterprise Mode](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11) offers better backward compatibility and enables customers to run many legacy web applications. Microsoft Edge and Internet Explorer can be configured to use the same Enterprise Mode Site List, switching seamlessly between browsers to support both modern and legacy web apps. **Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?** -**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. +**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016 and Windows Server 2019, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11. **Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?** -**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service. +**A:** You can access the latest preview version of Microsoft Edge by updating to the latest Windows 10 preview via the [Windows Insider Program](https://insider.windows.com/). To run the preview version of Microsoft Edge on a stable version of Windows 10 (or any other OS), you can download a [Virtual Machine](https://developer.microsoft.com/microsoft-edge/tools/vms/windows/) that we provide or use the upcoming RemoteEdge service. **Q: How do I customize Microsoft Edge and related settings for my organization?** -**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies) for a list of available policies for Microsoft Edge. +**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/index) for a list of available policies for Microsoft Edge and configuration combinations. **Q: Is Adobe Flash supported in Microsoft Edge?** -**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with [Click-to-Run for Flash](https://blogs.windows.com/msedgedev/2016/12/14/edge-flash-click-run/) in the Windows 10 Creators Update. +**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](available-policies.md#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content. -For more information about the phasing out of Flash, read the [End of an Era – Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#85ZBy7aiVlDQHebO.97) blog post. -**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?** -**A:** No, ActiveX controls and BHOs such as Silverlight or Java are not supported in Microsoft Edge. The need for ActiveX controls has been significantly reduced by modern web standards, which are more interoperable across browsers. We are working on plans for an extension model based on the modern web platform in Microsoft Edge. We look forward to sharing more details on these plans soon. Not supporting legacy controls in Microsoft Edge provides many benefits including better interoperability with other modern browsers, as well as increased performance, security, and reliability. +To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article). + + +**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?** + +**A:** No. Microsoft Edge does not support ActiveX controls and BHOs such as Silverlight or Java. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support. + **Q: How often will Microsoft Edge be updated?** @@ -77,5 +92,5 @@ For more information about the phasing out of Flash, read the [End of an Era – **Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?** -**A:** Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. Although we don’t have any plans to bring Microsoft Edge to Windows 7 or Windows 8.1 at this time, you can test Microsoft Edge with older versions of Internet Explorer using [free virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/). +**A:** No. Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md index 5a3b6328ee..a8f34188e6 100644 --- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md +++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md @@ -1,294 +1,255 @@ --- -description: Microsoft Edge kiosk mode works with assigned access to allow IT, administrators, to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. +title: Deploy Microsoft Edge kiosk mode +description: Microsoft Edge kiosk mode works with assigned access to allow IT admins to create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. ms.assetid: author: shortpatti ms.author: pashort ms.prod: edge ms.sitesec: library -title: Deploy Microsoft Edge kiosk mode +ms.topic: get-started-article ms.localizationpriority: medium -ms.date: 07/25/2018 +ms.date: 10/29/2018 --- -# Deploy Microsoft Edge kiosk mode (Preview) +# Deploy Microsoft Edge kiosk mode ->Applies to: Microsoft Edge on Windows 10
->Preview build 17723 +>Applies to: Microsoft Edge on Windows 10, version 1809 +>Professional, Enterprise, and Education -Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk using assigned access. With assigned access, you create a tailored browsing experience locking down a Windows 10 device to only run as a single-app or multi-app kiosk. Assigned access restricts a local standard user account so that it only has access to one or more Windows app, such as Microsoft Edge in kiosk mode. -When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge. +In this topic, you learn how to configure the behavior of Microsoft Edge when it's running in kiosk mode with assigned access. You also learn how to set up your kiosk device using either Windows Setting or Microsoft Intune or other MDM service. -Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity. - -In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience. +At the end of this topic, you can find a list of [supported policies](#supported-policies-for-kiosk-mode) for kiosk mode and a [feature comparison](#feature-comparison-of-kiosk-mode-and-kiosk-browser-app) of the kiosk mode policy and kiosk browser app. You also find instructions on how to provide us feedback or get support. +## Kiosk mode configuration types -## Microsoft Edge kiosk types -Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access). +>**Policy** = Configure kiosk mode (ConfigureKioskMode) -### Single-app kiosk +Microsoft Edge kiosk mode supports four configurations types that depend on how Microsoft Edge is set up with assigned access, either as a single-app or multi-app kiosk. These configuration types help you determine what is best suited for your kiosk device or scenario. -When you set up Microsoft Edge kiosk mode in single-app assigned access, Microsoft Edge runs InPrivate either in full-screen or a limited multi-tab version for public browsing. For more details about setting up a single-app kiosk, see [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage). +- Learn about [creating a kiosk experience](https://docs.microsoft.com/windows-hardware/customize/enterprise/create-a-kiosk-image) -The single-app Microsoft Edge kiosk mode types include: + - [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage) -1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage include an interactive museum display or a restaurant order/pay station. + - [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). -2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device. +- Learn about configuring a more secure kiosk experience: [Other settings to lock down](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down). - ![Public browsing Microsoft Edge kiosk mode on a single-app kiosk device](images/SingleApp_contosoHotel_inFrame.png) -### Multi-app kiosk -When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. +### Important things to remember before getting started -The multi-app Microsoft Edge kiosk mode types include: +- The public browsing kiosk types run Microsoft Edge InPrivate mode to protect user data with a browsing experience designed for public kiosks. -3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other app(s). +- Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue, and if no user activity Microsoft Edge resets the session to the default URL. By default, the idle timer is 5 minutes, but you can choose a value of your own. - ![Public browsing Microsoft Edge kiosk mode on a multi-app kiosk device](images/Multi-app_kiosk_inFrame.png) +- Optionally, you can define a single URL for the Home button, Start page, and New Tab page. See [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode) to learn more. -4. **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. +- No matter which configuration type you choose, you must set up Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy (Configure kiosk mode/ConfigureKioskMode).

Learn more about assigned access: - ![Normal Microsoft Edge kiosk mode on a multi-app kiosk device](images/Normal_inFrame.png) + - [Configure kiosk and shared devices running Windows desktop editions](https://aka.ms/E489vw). -## Let’s get started! -Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using: + - [Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4). -- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout. + - [Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3). -- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access. - >[!NOTE] - >For other MDM service, check with your provider for instructions. +### Supported configuration types -- **Windows PowerShell.** Best for setting up multiple devices as a kiosk. With this method, you can set up single-app or multi-app assigned access using a PowerShell script. For details, see For details, see [Set up a kiosk or digital sign using Windows PowerShell](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-using-windows-powershell).  +[!INCLUDE [configure-kiosk-mode-supported-values-include](includes/configure-kiosk-mode-supported-values-include.md)] + +## Set up Microsoft Edge kiosk mode + +Now that you're familiar with the different kiosk mode configurations and have the one you want to use in mind, you can use one of the following methods to set up Microsoft Edge kiosk mode: + +- **Windows Settings.** Use only to set up a couple of single-app devices because you perform these steps physically on each device. For a multi-app kiosk device, use Microsoft Intune or other MDM service. + +- **Microsoft Intune or other MDM service.** Use to set up several single-app or multi-app kiosk devices. Microsoft Intune and other MDM service providers offer more options for customizing the Microsoft Edge kiosk mode experience using any of the [Supported policies for kiosk mode](#supported-policies-for-kiosk-mode). -- **Windows Configuration Designer.** Best for setting up multiple kiosk devices. Download and install both the latest version of the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and [Windows Configuration Manager](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-install-icd#install-windows-configuration-designer-1). ### Prerequisites -- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). +- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education). -- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method. +- URL to load when the kiosk launches. The URL that you provide sets the Home button, Start page, and New Tab page. ->[!Important] ->If you are using a local account as a kiosk account in Intune or provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk. +- _**For Microsoft Intune or other MDM service**_, you must have the AppUserModelID (AUMID) to set up Microsoft Edge: + + ``` + Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge + ``` -### Use Windows Settings +### Use Windows Settings -Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses. +Windows Settings is the simplest and the only way to set up one or a couple of single-app devices. -1. In Windows Settings, select **Accounts** \> **Other people**. -2. Under **Set up a kiosk**, select **Assigned access**. +1. On the kiosk device, open Windows Settings, and in the search field type **kiosk** and then select **Set up a kiosk (assigned access)**. -3. Select **Get started**. +2. On the **Set up a kiosk** page, click **Get started**. -4. Create a standard user account or choose an existing account for your kiosk. +3. Type a name to create a new kiosk account, or choose an existing account from the populated list and click **Next**. -5. Select **Next**. +4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**. -6. On the **Choose a kiosk app** page, select **Microsoft Edge.** +5. Select how Microsoft Edge displays when running in kiosk mode: -7. Select **Next**. + - **As a digital sign or interactive display** - Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data. -8. Select how Microsoft Edge displays when running in kiosk mode: + - **As a public browser** - Runs a limited multi-tab version of Microsoft Edge, protecting user data. - - **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls. +6. Select **Next**. - - **As a public browser**, the default URL shows in a browser view with limited browser controls. +7. Type the URL to load when the kiosk launches. -9. Select **Next**. +8. Accept the default value of **5 minutes** for the idle time or provide a value of your own. -10. Enter the URL that you want to load when the kiosk launches. +9. Click **Next**. - >[!NOTE] - >The URL sets the Home button, Start page, and New tab page. +10. Close the **Settings** window to save and apply your choices. -11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value. +11. Restart the kiosk device and sign in with the local kiosk account to validate the configuration. -12. Select **Next**, and then select **Close**. +**_Congratulations!_**

You’ve just finished setting up a single-app kiosk device using Windows Settings. -13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on. +**_What's next?_** -14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Relevant policies](#relevant-policies). +- User your new kiosk device.

+ OR

+- Make changes to your kiosk device. In Windows Settings, on the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. -15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account. - -**_Congratulations!_** You’ve finished setting up Microsoft Edge in assigned access and a kiosk or digital sign, and configured browser policies for Microsoft Edge kiosk mode. - -**_Next steps._** -- Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. -- If you want to make changes to your kiosk, you can quickly change the display option and default URL for Microsoft Edge. - - 1. Go to **Start** \> **Settings** \> **Accounts** \> **Other people**. - - 2. Under **Set up a kiosk**, select **Assigned access**. - - 3. Make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**. +--- ### Use Microsoft Intune or other MDM service -With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. +With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device. To learn about a few app fundamentals and requirements before adding them to Intune, see [Add apps to Microsoft Intune](https://docs.microsoft.com/intune/apps-add). -1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. +>[!IMPORTANT] +>If you are using a local account as a kiosk account in Microsoft Intune, make sure to sign into this account and then sign out before configuring the kiosk device. -2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device. +1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps. - | | | - |---|---| - | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| - | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| - | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| - | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | - --- -
+2. Configure the following MDM settings to setup Microsoft Edge kiosk mode on the kiosk device and then restart the device. -**_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. + | | | + |---|---| + | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| + | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets the user's session.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| + | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | + | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| + | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | + | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New Tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | + -**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. +**_Congratulations!_**

You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service. -### Use a provisioning package - -With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device. - -1. Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access. - -2. After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor. - -3. Navigate to **Runtime settings \> Policies \> Browser** and set the following policies: - - | | | - |---|---| - | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**

![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge as a kiosk app.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode

**Data type:** Integer

**Allowed values:**

| - | **[ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)**

![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout

**Data type:** Integer

**Allowed values:**

| - | **[HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages)**

![](images/icon-thin-line-computer.png) | Set one or more start pages, URLs, to load when Microsoft Edge launches.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages

**Data type:** String

**Allowed values:**

Enter one or more URLs, for example,
   \\ | - | **[ConfigureHomeButton](new-policies.md#configure-home-button)**

![](images/icon-thin-line-computer.png) | Configure how the Home Button behaves.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton

**Data type:** Integer

**Allowed values:**

| - | **[SetNewTabPageURL](new-policies.md#set-new-tab-page-url)**

![](images/icon-thin-line-computer.png) | Set a custom URL for the New tab page.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.msn.com | - | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**

![](images/icon-thin-line-computer.png) | If you set ConfigureHomeButton to 2, configure the home button URL.

**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL

**Data type:** String

**Allowed values:** Enter a URL, for example, https://www.bing.com | - --- -
-4. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package. - -5. Click **Finish**. The wizard closes taking you back to the Customizations page. - -6. Apply the provisioning package to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). For more details, see [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package). - -**_Congratulations!_** You’ve finished creating your provisioning package for Microsoft Edge kiosk mode. - -**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app. +**_What's next?_**

Now it's time to use your new kiosk device. Sign into the device with the kiosk account selected to run Microsoft Edge kiosk mode. --- -## Relevant policies -Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser). +## Supported policies for kiosk mode + +Use any of the Microsoft Edge policies listed below to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure. To learn more about these policies, see [Policy CSP - Browser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser). + +Make sure to check with your provider for instructions. | **MDM Setting** | **Digital /
Interactive signage** | **Public browsing
single-app** | **Public browsing
multi-app** | **Normal
mode** | |------------------|:---------:|:---------:|:---------:|:---------:| -| [AllowAddressBarDropdown](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowAutofill](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowBrowser](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowCookies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowDeveloperTools](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowDoNotTrack](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowFlash](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFlashClickToRun](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowFullscreen](new-policies.md#allow-fullscreen-mode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowInPrivate](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [AllowPasswordManager](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPopups](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowPrelaunch](new-policies.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowPrinting](new-policies.md#allow-printing)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSavingHistory](new-policies.md#allow-saving-history)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchEngineCustomization](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSideloadingOfExtensions](new-policies.md#allow-sideloading-of-extensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowSmartScreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [AllowSyncMySettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowTabPreloading](new-policies.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AllowWebContentOnNewTabPage](available-policies.md#allow-web-content-on-new-tab-page)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ClearBrowsingDataOnExit](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureFavoritesBar](new-policies.md#configure-favorites-bar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureHomeButton](new-policies.md#configure-home-button)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskMode](new-policies.md#configure-kiosk-mode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -|  [ConfigureKioskResetAfterIdleTimeout](new-policies.md#configure-kiosk-reset-after-idle-timeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [ConfigureOpenMicrosoftEdgeWith](new-policies.md#configure-open-microsoft-edge-with)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ConfigureTelemetryForMicrosoft365Analytics](new-policies.md#configure-collection-of-browsing-data-for-microsoft-365-analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [DisableLockdownOfStartPages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [Experience/DoNotSyncBrowserSetting](available-policies.md#do-not-sync-browser-settings)\* and [Experience/PreventUsersFromTurningOnBrowserSyncing](new-policies.md#prevent-users-from-turning-on-browser-syncing)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [EnterpriseModeSiteList](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [FirstRunURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | -| [HomePages](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [LockdownFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventCertErrorOverrides](new-policies.md#prevent-certificate-error-overrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventFirstRunPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventLiveTileDataCollection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventTurningOffRequiredExtensions](new-policies.md#prevent-turning-off-required-extensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ProvisionFavorites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SetDefaultSearchEngine](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetHomeButtonURL](new-policies.md#set-home-button-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [SetNewTabPageURL](new-policies.md#set-new-tab-page-url)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | -| [UnlockHomeButton](new-policies.md#unlock-home-button)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -| [UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ---- +| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowaddressbardropdown) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowautofill) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowbrowser) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowcookies) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdevelopertools) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowdonottrack) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowextensions) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflash) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) | ![Supported](images/148767.png)2 | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowFullscreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowinprivate) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowmicrosoftcompatibilitylist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpasswordmanager) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowpopups) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsearchenginecustomization) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSideloadingExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowsyncmysettings) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [AlwaysEnabledBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-clearbrowsingdataonexit) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureadditionalsearchengines) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +|  [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [ConfigureOpenEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-disablelockdownofstartpages) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)\* and [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-firstrunurl) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | +| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventaccesstoaboutflagsinmicrosoftedge) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventfirstrunpage) | ![Supported](images/148767.png) | ![Supported](images/148767.png)| ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventlivetiledatacollection) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverride) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)\* | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventusinglocalhostipaddressforwebrtc) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SendIntranetTraffictoInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sendintranettraffictointernetexplorer) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setdefaultsearchengine) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)\* | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| [ShowMessageWhenOpeningInteretExplorerSites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-syncfavoritesbetweenieandmicrosoftedge) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png)1 | ![Supported](images/148767.png) | +| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton)\* | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +| [UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | -*\* New policy coming in the next release of Windows 10.*

+ +*\* New policy as of Windows 10, version 1809.*

*1) For multi-app assigned access, you must configure Internet Explorer 11.*
-*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* +*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.* **Legend:**

       ![Not supported](images/148766.png) = Not applicable or not supported
       ![Supported](images/148767.png) = Supported ---- +--- -## Related topics +## Feature comparison of kiosk mode and kiosk browser app +In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. -- **[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage)**: Learn about the different methods to configuring your kiosks and digitals signs. Also, learn about the settings you can use to lock down the kiosk for a more secure kiosk experience. +| **Feature** | **Microsoft Edge kiosk mode** | **Microsoft Kiosk browser app** | +|---------------|:----------------:|:---------------:| +| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Allow/Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | +| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | +| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | +| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Microsoft Intune, you must create a custom URI to enable. Dedicated UI configuration introduced in version 1808.* | +| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | +| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | +| Available in Microsoft Store | ![Not supported](images/148766.png) | ![Supported](images/148767.png) | +|SKU availability | Windows 10 October 2018 Update
Professional, Enterprise, and Education | Windows 10 April 2018 Update
Professional, Enterprise, and Education | -- **[Create a Kiosk Experience](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/create-a-kiosk-image):** Learn how to set up single-function kiosk devices, such as restaurant menus, and optional features for a welcome screen or power button availability. Also, learn how to create a multi-app kiosk, or fixed-purpose device, to provide an easy-to-understand experience giving users the things they need to use. -- **[Configure a Windows 10 kiosk that runs multiple apps](https://aka.ms/Ckmq4n):** Learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device. - -- **[Kiosk apps for assigned access best practices](https://aka.ms/H1s8y4):** In Windows 10, you can use assigned access to create a kiosk device, which enables users to interact with just a single Universal Windows app. Learn about the best practices for implementing a kiosk app. - -- **[Guidelines for choosing an app for assigned access (kiosk mode)](https://aka.ms/Ul7dw3):** Assigned access restricts a local standard user account on the device so that it only has access to a single-function device, like a kiosk. Learn about the guidelines for choosing a Windows app, web browsers, and securing your information. Also, learn about additional configurations required for some apps before it can work properly in assigned access. - -- **[Other settings to lock down](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#other-settings-to-lock-down):** Learn how to configure a more secure kiosk experience. In addition to the settings, learn how to set up **automatic logon** for your kiosk device. For example, when the kiosk device restarts, you can log back into the device manually or by setting up automatic logon. - -- **[Add apps to Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add):** Learn about and understand a few app fundamentals and requirements before adding them to Intune and making them available to your users. - -- **[AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/en-us/windows/client-management/mdm/assignedaccess-csp):** The AssignedAccess configuration service provider (CSP) sets the device to run in kiosk mode. Once the CSP has executed, then the next user login associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration. - -- **[Create a provisioning page for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package):** Learn to use Windows Configuration Designer (WCD) to create a provisioning package (.ppkg) for configuring devices running Windows 10. The WCD wizard options provide a simple interface to configure desktop, mobile, and kiosk device settings. - ---- - -## Known issues with prerelease build 17723 - -When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored. -- **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode. -- **Actual behavior** – Normal Microsoft Edge launches. +**\*Windows Defender Firewall**

+To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). --- @@ -298,27 +259,5 @@ To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Micro **_For multi-app kiosk only._** If you have set up the Feedback Hub in assigned access, you can you submit the feedback from the device running Microsoft Edge in kiosk mode in which you can include diagnostic logs. In the Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory. ---- -## Feature comparison of kiosk mode and kiosk browser app -In the following table, we show you the features available in both Microsoft Edge kiosk mode and Kiosk Browser app available in Microsoft Store. Both kiosk mode and kiosk browser app work in assigned access. -| **Feature** | **Microsoft Edge kiosk mode** | **Kiosk Browser** | -|---------------|:----------------:|:---------------:| -| Print support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Multi-tab support | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Allow URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | -| Block URL support | ![Supported](images/148767.png)

*\*For Microsoft Edge kiosk mode use* [Windows Defender Firewall](#_*Windows_Defender_Firewall)*. Microsoft kiosk browser has custom policy support.* | ![Supported](images/148767.png) | -| Configure Home Button | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Set Start page(s) URL | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*Same as Home button URL* | -| Set New Tab page URL | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| Favorites management | ![Supported](images/148767.png) | ![Not supported](images/148766.png) | -| End session button | ![Supported](images/148767.png) | ![Supported](images/148767.png)

*In Intune, must create custom URI to enable. Dedicated UI configuration targeted for 1808.* | -| Reset on inactivity | ![Supported](images/148767.png) | ![Supported](images/148767.png) | -| Internet Explorer integration (Enterprise Mode site list) | ![Supported](images/148767.png)

*Multi-app mode only* | ![Not supported](images/148766.png) | ---- - -**\*Windows Defender Firewall**

-To prevent access to unwanted websites on your kiosk device, use Windows Defender Firewall to configure a list of allowed websites, blocked websites or both. For more details, see [Windows Defender Firewall with Advanced Security Deployment](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide). - ---- \ No newline at end of file diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md deleted file mode 100644 index 421bd3945c..0000000000 --- a/browsers/edge/new-policies.md +++ /dev/null @@ -1,116 +0,0 @@ ---- -description: Microsoft Edge now has new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. -ms.assetid: -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -title: New Microsoft Edge Group Policies and MDM settings -ms.localizationpriority: medium -author: shortpatti -ms.author: pashort -ms.date: 07/25/2018 ---- - -# New Microsoft Edge Group Policies and MDM settings (Preview) - -> Applies to: Microsoft Edge on Windows 10
-> Preview build 17713+ - -The Microsoft Edge team introduces new Group Policies and MDM Settings for the Windows 10 Insider Preview Build 17713+. The new policies allow IT administrators to enable/disable full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions. - -We are discontinuing the **Configure Favorites** group policy. Use the **[Provision Favorites](available-policies.md#provision-favorites)** instead. - - - ->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy: ->> ->>      **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_** -

- - - -| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** | -| --- | --- | --- | --- | -| [Allow fullscreen mode](#allow-fullscreen-mode) | New | [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) | New | -| [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New | -| [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | New | -| [Allow printing](#allow-printing) | New | [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | New | -| [Allow Saving History](#allow-saving-history) | New | [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | New | -| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | New | -| [Allow web content on new tab page](available-policies.md#allow-web-content-on-new-tab-page) | -- | [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | New | -| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | New | -| [Configure Favorites Bar](#configure-favorites-bar) | New | [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | New | -| [Configure Home Button](#configure-home-button) | New | [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | New | -| [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New | -| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New | -| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New | -| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) | New | -| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New | -| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | [Experience/PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New | -| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New | -| [Set Home Button URL](#set-home-button-url) | New | [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | New | -| [Set New Tab page URL](#set-new-tab-page-url) | New | [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | New | -| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | Updated | -| [Unlock Home Button](#unlock-home-button) | New | [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | New | ---- - - - - -## Allow fullscreen mode -[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)] - -## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed -[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)] - -## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed -[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)] - -## Allow printing -[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)] - -## Allow Saving History -[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)] - -## Allow sideloading of Extensions -[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)] - -## Configure collection of browsing data for Microsoft 365 Analytics -[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)] - -## Configure Favorites Bar -[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)] - -## Configure Home Button -[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)] - -## Configure kiosk mode -[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)] - -## Configure kiosk reset after idle timeout -[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)] - -## Configure Open Microsoft Edge With -[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)] - -## Prevent certificate error overrides -[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)] - -## Prevent turning off required extensions -[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)] - -## Prevent users from turning on browser syncing -[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)] - -## Set Home Button URL -[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)] - -## Set New Tab page URL -[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)] - -## Show message when opening sites in Internet Explorer -[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)] - -## Unlock Home Button -[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)] - diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md deleted file mode 100644 index ae5d5916d8..0000000000 --- a/browsers/edge/security-enhancements-microsoft-edge.md +++ /dev/null @@ -1,119 +0,0 @@ ---- -description: Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. -ms.prod: edge -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) -ms.localizationpriority: medium -ms.date: 10/16/2017 -ms.author: pashort -author: shortpatti ---- - -# Security enhancements for Microsoft Edge - ->Applies to: Windows 10, Windows 10 Mobile - -Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. - -## Help to protect against web-based security threats -While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking: - -- **Trickery** uses things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t. - -- **Hacking** attacks a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device. - -While trickery and hacking are threats faced by every browser, it’s important that we explore how Microsoft Edge addresses these threats and is helping make the web a safer experience. - -### Help against trickery -Web browsers can help defend your employees against trickery by identifying and blocking known tricks, and by using strong security protocols to ensure that they’re talking to the web site they think they’re talking to. - -#### Windows Hello -Phishing scams get people to enter passwords into a fake version of a trusted website, such as a bank. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success, since attackers are too good at faking legitimate experiences for many people to notice the difference. - -To really address this problem, we need to stop people from entering plain-text passwords into websites. So in Windows 10, we gave you [Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/) technology with asymmetric cryptography that authenticates both the person and the website. - -Microsoft Edge is the first browser to natively support Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). - -#### Microsoft SmartScreen -Microsoft SmartScreen, used in Windows 10 and both Internet Explorer 11 and Microsoft Edge, helps to defend against phishing by performing reputation checks on visited sites and blocking any sites that are thought to be phishing sites. SmartScreen also helps to defend people against being tricked into installing malicious [socially-engineered software downloads](http://operationstech.about.com/od/glossary/g/Socially-Engineered-Malware.htm and against [drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/). Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software, and may be hosted on trusted sites. - -#### Certificate Reputation system -While people trust sites that have encrypted web traffic, that trust can be undermined by malicious sites using improperly obtained or fake certificates to impersonate legitimate sites. To help address this problem, we introduced the [Certificate Reputation system](https://blogs.msdn.com/b/ie/archive/2014/03/10/certificate-reputation-a-novel-approach-for-protecting-users-from-fraudulent-certificates.aspx) last year. This year, we’ve extended the system to let web developers use the [Bing Webmaster Tools](http://www.bing.com/toolbox/webmaster) to report directly to Microsoft to let us know about fake certificates. - -### Help against hacking -While Microsoft Edge has done much to help defend against trickery, the browser’s “engine” has also been overhauled to resist hacking (attempts to corrupt the browser itself) including a major overhaul of the DOM representation in the browser’s memory, and the security mitigations described here. - -#### Microsoft EdgeHTML and modern web standards -Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused on modern standards that let web developers build and maintain a consistent site across all modern browsers. - -The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features: - -- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks. - -- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured. - ->[!NOTE] ->Both Microsoft Edge and Internet Explorer 11 support HSTS. - -#### All web content runs in an app container sandbox -Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](https://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins. - -Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions. - -Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesn’t support 3rd party binary extensions, there’s no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure. - -#### Microsoft Edge is now a 64-bit app -The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](https://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps. - -##### 64-bit processes and Address Space Layout Randomization (ASLR) -Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system. - -The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR). ASLR randomizes the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find the sensitive memory components they’re looking for. - -#### New extension model and HTML5 support -Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down. - -Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). - -#### Reduced attack surfaces -In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible. - -Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility. - -#### Code integrity and image loading restrictions -Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or being injected into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as, UNC or WebDAV) can’t be loaded. - -#### Memory corruption mitigations -Memory corruption happens most frequently to apps written in C or C++ because those languages don’t provide type safety or buffer overflow protection. Broadly speaking, memory corruption attacks happen when an attacker provides malformed input to a program and the program can’t handle it, corrupting the program’s memory state and allowing the attacker to take control of the program. - -Over the years, a broad variety of mitigations have been created around memory corruption, but even as these mitigations roll out, attackers adapt and invent new ways to attack. At the same time, we’ve responded with new memory safety defenses, mitigating the most common new forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities. - -##### Memory Garbage Collector (MemGC) mitigation -MemGC is the replacement for Memory Protector, currently turned on for both Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7 and newer operating systems. MemGC is a memory garbage collection system that helps to defend the browser from UAF vulnerabilities by taking the responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. - -##### Control Flow Guard -Ultimately, attackers use memory corruption attacks to gain control of the CPU program counter so that they can jump to any code location they want. Control Flow Guard is a Microsoft Visual Studio technology that compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only go to function entry points with known addresses. This makes attacker take-overs much more difficult by severely constraining where a memory corruption attack can jump to. - -#### Designed for security -We’ve spent countless hours reviewing, testing, and using Microsoft Edge to make sure that you’re more protected than ever before. - -##### Fuzzing/Static Analysis -We’ve devoted more than 670 machine-years to fuzz testing Microsoft Edge and Internet Explorer during product development, including monitoring for possible exceptions such as crashes or memory leaks. We’ve also generated more than 400-billion DOM manipulations from 1-billion HTML files. Because of all of this, hundreds of security issues were addressed before the product shipped. - -##### Code Review & Penetration Testing -Over 70 end-to-end security engagements reviewed all key features, helping to address security implementation and design issues before shipping. - -##### Windows REDTEAM -The Windows REDTEAM emulates the techniques and expertise of skilled, real-world attackers. Exploited Microsoft Edge vulnerabilities discovered through penetration testing can be addressed before public discovery and real-world exploits. - - - - - - - - - - diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md index 19e8c5a8a4..7eb5da6bd4 100644 --- a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md +++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md index 4a49c8dc67..d970c98301 100644 --- a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md +++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md index 6c0c3cf0be..a06ece3f82 100644 --- a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md +++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md index 31127ca2d7..75e6fa71ed 100644 --- a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md +++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md index e5fd1dde74..69f981f0d4 100644 --- a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md index 2857a93d27..cc694ab73b 100644 --- a/browsers/edge/shortdesc/allow-cortana-shortdesc.md +++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md index b9bab04325..ef095e5733 100644 --- a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md +++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md index 1c11de47c0..1bbf337754 100644 --- a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md index 2d1f8ec802..41849af3ef 100644 --- a/browsers/edge/shortdesc/allow-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md index 0ce0f11a60..6f37d4a659 100644 --- a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md +++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md index 75def749bb..0171d9c8a5 100644 --- a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md index a56056d3e9..769d1ee379 100644 --- a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md +++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md index 405fca5e9c..3d939db8c0 100644 --- a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md +++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md index 5abb3b7dc7..b9e4cf691f 100644 --- a/browsers/edge/shortdesc/allow-printing-shortdesc.md +++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md index bec7172c23..e37a1e9bfc 100644 --- a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md +++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md index 2b4e25a7c3..e94443a99b 100644 --- a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md +++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md index bb723ab0c6..e9e9fd0512 100644 --- a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md index 3b245ca258..b276822d74 100644 --- a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md +++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md index bad40654c0..a056b0a737 100644 --- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md +++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge loads the default New tab page. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New tab page. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 11/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. \ No newline at end of file diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md index 7ec95879df..86ac25c632 100644 --- a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md +++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md @@ -1 +1,9 @@ -With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data is shared through the SharedLocal folder, which is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. \ No newline at end of file diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md index 9a382427fa..a91b389923 100644 --- a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md +++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md index c68642520a..39961b4f01 100644 --- a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md +++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md @@ -1 +1,9 @@ -By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md index c58d446834..d0be48cb2b 100644 --- a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md b/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md index 247308fee8..1688989ef7 100644 --- a/browsers/edge/shortdesc/configure-autofill-shortdesc.md +++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md @@ -1 +1,9 @@ -By default, users can choose to use the Autofill feature to automatically populate the form fields. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md index 6a9cce12e0..32abbdf60a 100644 --- a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md index a35c4d0f31..ea5cb7e557 100644 --- a/browsers/edge/shortdesc/configure-cookies-shortdesc.md +++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md index d3026c51e7..f9de9cd2ec 100644 --- a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md +++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md index 80383e4f0a..fd49f0e0c9 100644 --- a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md +++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md index 4536456e59..0303f69e10 100644 --- a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md index c5bfae7541..ae90afc8af 100644 --- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md @@ -1 +1,9 @@ -Discontinued in Windows 10, version 1810. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md index 8f31b8505f..7a0260f8ea 100644 --- a/browsers/edge/shortdesc/configure-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-inprivate-shortdesc.md b/browsers/edge/shortdesc/configure-inprivate-shortdesc.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md index a0e1cbf398..ea135db692 100644 --- a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md @@ -1 +1,9 @@ -Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with a tailored experience for kiosks, or normal browsing in Microsoft Edge. diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md index 4772d2d2dd..3bcba1b944 100644 --- a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md index 7383d68455..5bf099b3ca 100644 --- a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md +++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md index 63a62cfff5..0f77b004ba 100644 --- a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md +++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md index e89395a2ab..18d5e9bf38 100644 --- a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md +++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md @@ -1 +1,10 @@ -Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Don’t configure this policy to let users choose to use Pop-up Blocker. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. + diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md index e95e652f45..f9e057b6a5 100644 --- a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md +++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md index f027fdb17e..f9b5185f3d 100644 --- a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md index 752f554dca..58dfd6be9a 100644 --- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md +++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. \ No newline at end of file diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md index 9286227f0e..e0c635c0c7 100644 --- a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md +++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md index 5e485a0200..93ecd60efe 100644 --- a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md index 69425a77f3..5902fb6656 100644 --- a/browsers/edge/shortdesc/do-not-sync-shortdesc.md +++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option in this policy. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option. \ No newline at end of file diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md index 71de365bde..981ef9d876 100644 --- a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. \ No newline at end of file diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md index 132291b931..efc6fc71a1 100644 --- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md +++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md @@ -1 +1,10 @@ -This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +[Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy): +This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md index b13677be33..518f94bdea 100644 --- a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md index 135bd4f574..6330b51213 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of unverified file(s). \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md index 56a2ecdd15..d5eaea4a31 100644 --- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md index 0d4351e0cb..156b1bb385 100644 --- a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md @@ -1 +1,9 @@ -Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md index 195318866f..78c77baf42 100644 --- a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md index 4be519322f..87d3b927ed 100644 --- a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a more complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users a limited experience. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md index f587cc839c..af24d3583b 100644 --- a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md @@ -1 +1,9 @@ -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via a FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md index e428d938ed..7875990600 100644 --- a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md index 1211a69dfa..daa02c5729 100644 --- a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. \ No newline at end of file diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md index defb76bdf5..4ba3bff11a 100644 --- a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses. \ No newline at end of file diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md index 7f02b200c8..e2ed5da50f 100644 --- a/browsers/edge/shortdesc/provision-favorites-shortdesc.md +++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured. \ No newline at end of file diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md index c5684bc753..454549bffe 100644 --- a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md +++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar. \ No newline at end of file diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md index 296965ba86..79dfd220c1 100644 --- a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md +++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md index 839e07428b..c9d57f2140 100644 --- a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md +++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md @@ -1 +1,9 @@ -By default, Microsoft Edge uses the default search engine specified in App settings. In this case, users can make changes to the default search engine at any time unless the Allow search engine customization policy is disabled, which restricts users from making any changes. Disabling this policy removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. Enabling this policy uses the policy-set search engine specified in the OpenSearch XML file, prevent users from changing the default search engine. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md index 80b7cf8040..98fcc7aef2 100644 --- a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. \ No newline at end of file diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md index 35ae30c337..9f27db97ce 100644 --- a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md +++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md @@ -1 +1,9 @@ -Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. \ No newline at end of file +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + +Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. \ No newline at end of file diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md deleted file mode 100644 index 2c796253ef..0000000000 --- a/browsers/edge/shortdesc/shortdesc-test.md +++ /dev/null @@ -1 +0,0 @@ -UI settings for the home button are disabled preventing your users from making changes \ No newline at end of file diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md index 80e4360bb0..a15e780afe 100644 --- a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md +++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md @@ -1 +1,8 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. \ No newline at end of file diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md index aff697e8f0..d412d67e72 100644 --- a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md +++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md @@ -1 +1,9 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. \ No newline at end of file diff --git a/browsers/edge/troubleshooting-microsoft-edge.md b/browsers/edge/troubleshooting-microsoft-edge.md new file mode 100644 index 0000000000..3f3707624b --- /dev/null +++ b/browsers/edge/troubleshooting-microsoft-edge.md @@ -0,0 +1,35 @@ +--- +title: Troubleshoot Microsoft Edge +description: +ms.assetid: +author: shortpatti +ms.author: pashort +ms.prod: edge +ms.sitesec: library +title: Deploy Microsoft Edge kiosk mode +ms.localizationpriority: medium +ms.date: 10/15/2018 +--- + +# Troubleshoot Microsoft Edge + + +## Microsoft Edge and IPv6 +We are aware of the known issue with Microsoft Edge and all UWP-based apps, such as Store, Mail, Feedback Hub, and so on. It only happens if you have disabled IPv6 (not recommended), so a temporary workaround is to enable it. + +## Microsoft Edge hijacks .PDF and .HTM files + + + +## Citrix Receiver in Microsoft Edge kiosk mode +If you want to deliver applications to users via Citrix through Microsoft Edge, you must create the kiosk user account and then log into the account to install Citrix Receiver BEFORE setting up assigned access. + +1. Create the kiosk user account. +2. Log into the account. +3. Install Citrix Receiver. +4. Set up assigned access. + + +## Missing SettingSync.admx and SettingSync.adml files + +Make sure to [download](https://www.microsoft.com/en-us/download/windows.aspx) the latest templates to C:\windows\policydefinitions\. \ No newline at end of file diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md new file mode 100644 index 0000000000..b4a16608e7 --- /dev/null +++ b/browsers/edge/use-powershell-to manage-group-policy.md @@ -0,0 +1,27 @@ +--- +title: Use Windows PowerShell to manage group policy +description: +ms.prod: edge +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros) +ms.localizationpriority: medium +ms.date: 10/02/2018 +ms.author: pashort +author: shortpatti +--- + +# Use Windows PowerShell to manage group policy + +Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs): + +- Maintain GPOs (GPO creation, removal, backup, and import) +- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal) +- Set permissions on GPOs +- Modify inheritance flags on Active Directory organization units (OUs) and domains +- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal) +- Create starter GPOs + + + diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index f6061375ab..6ebdd65d65 100644 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index eafa1921a5..4c6531c174 100644 --- a/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/enterprise-mode/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index ff584c1c9d..4752275c43 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -21,7 +21,7 @@ ms.date: 07/27/2017 Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. >**Upgrade Analytics and Windows upgrades**
->You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started). +>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-get-started). ## Before you begin diff --git a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md index 18b8b34406..4dfb16435c 100644 --- a/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/create-change-request-enterprise-mode-portal.md @@ -50,11 +50,11 @@ Employees assigned to the Requester role can create a change request. A change r - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. - - **App location (URL).** The full URL location to the app, starting with http:// or https://. + - **App location (URL).** The full URL location to the app, starting with https:// or https://. - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx). + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. diff --git a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md index 20155271eb..25f58fb19f 100644 --- a/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md +++ b/browsers/enterprise-mode/enterprise-mode-and-enterprise-site-list-include.md @@ -5,7 +5,7 @@ Starting with Windows 10, version 1511 (also known as the Anniversary Update), y ### Site list xml file -This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. ```xml diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md index 88711fd787..52ada71083 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-1-guidance.md @@ -28,7 +28,7 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. ``` xml @@ -135,7 +135,7 @@ This table includes the elements used by the Enterprise Mode schema. <path exclude="true">/products</path> </domain> </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. Internet Explorer 11 and Microsoft Edge @@ -167,7 +167,7 @@ This table includes the attributes used by the Enterprise Mode schema. <path exclude="true">/products</path> </domain> </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. Internet Explorer 11 and Microsoft Edge @@ -203,7 +203,7 @@ For example, say you want all of the sites in the contoso.com domain to open usi ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing. +- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md index df6a01cb68..ebc229a1db 100644 --- a/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/enterprise-mode/enterprise-mode-schema-version-2-guidance.md @@ -38,7 +38,7 @@ You can continue to use the v.1 version of the schema on Windows 10, but you wo The following is an example of the v.2 version of the Enterprise Mode schema. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com.   ``` xml @@ -198,7 +198,7 @@ The <url> attribute, as part of the <site> element in the v.2 versio <site url="contoso.com/travel"> <open-in allow-redirect="true">IE11</open-in> </site> -In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. +In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. Internet Explorer 11 and Microsoft Edge @@ -210,14 +210,14 @@ In this example, if http://contoso.com/travel is encountered in a redirect chain url Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.

Example 

 <site url="contoso.com:8080">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
 </site>
-In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. +In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. Internet Explorer 11 and Microsoft Edge @@ -286,7 +286,7 @@ Saving your v.1 version of the file using the new Enterprise Mode Site List Mana ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing. +- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md index bfb9659bd0..b67d27b563 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md @@ -111,7 +111,7 @@ The required packages are automatically downloaded and included in the solution. 1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: - ``` "Enable"="http:///api/records/" + ``` "Enable"="https:///api/records/" ``` Where `` points to your deployment URL. @@ -125,7 +125,7 @@ The required packages are automatically downloaded and included in the solution. **To view the report results** -- Go to `http:///List` to see the report results.

+- Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md index 0aca62e070..fe5fe752fc 100644 --- a/browsers/enterprise-mode/set-up-enterprise-mode-portal.md +++ b/browsers/enterprise-mode/set-up-enterprise-mode-portal.md @@ -176,7 +176,7 @@ Using the IIS Manager, you must restart both your Application Pool and your webs After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. **To register as an administrator** -1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. +1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. 2. Click **Register now**. @@ -184,7 +184,7 @@ After you've created your database and website, you'll need to register yourself 4. Click **Administrator** from the **Role** box, and then click **Save**. -5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md index e4e3d83ec8..1a704aa67e 100644 --- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md +++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md @@ -33,7 +33,7 @@ All of your managed devices must have access to this location if you want them t - **Local file:** `"SiteList"="file:///c:\\Users\\\\Documents\\testList.xml"` > **Example:** - >> _Web URL_ http://localhost:8080/EnterpriseMode.xml + >> _Web URL_ https://localhost:8080/EnterpriseMode.xml >> >> _Network Share_ \\NetworkShare.xml (Place this inside the group policy folder on Sysvol) >> diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md index 0f5ff8d1f9..5781fe3fc0 100644 --- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -46,9 +46,9 @@ Besides turning on this feature, you also have the option to provide a URL for E Your **Value data** location can be any of the following types: -- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
-The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
+The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, https://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. - **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md index 175646f824..3ea0832564 100644 --- a/browsers/includes/available-duel-browser-experiences-include.md +++ b/browsers/includes/available-duel-browser-experiences-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ## Available dual-browser experiences Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: diff --git a/browsers/includes/configuration-options.md b/browsers/includes/configuration-options.md deleted file mode 100644 index 2b2516dfe2..0000000000 --- a/browsers/includes/configuration-options.md +++ /dev/null @@ -1,11 +0,0 @@ -## Configuration options -You can make changes to your deployment through the software management system you have chosen. - -### Choosing an update channel - -### Configure policies using Group Policy Editor - -### Configure policies using Registry Editor - -### Configure policies using Intune - diff --git a/browsers/includes/control-browser-content.md b/browsers/includes/control-browser-content.md deleted file mode 100644 index e32eda17a8..0000000000 --- a/browsers/includes/control-browser-content.md +++ /dev/null @@ -1,18 +0,0 @@ -## Controlling browser content -This section explains how to control content in the browser. - -### Configure Pop-up Blocker -[configure-pop-up-blocker-include](../edge/includes/configure-pop-up-blocker-include.md) - -### Allow exentions -[allow-extensions-include](../edge/includes/allow-extensions-include.md) - -[send-all-intranet-sites-ie-include](../edge/includes/send-all-intranet-sites-ie-include.md) - -[keep-fav-sync-ie-edge-include](../edge/includes/keep-fav-sync-ie-edge-include.md) - -extensions -javascript -Tracking your browser: -- Do not track - diff --git a/browsers/includes/control-browsing-behavior.md b/browsers/includes/control-browsing-behavior.md deleted file mode 100644 index 067eba3f7d..0000000000 --- a/browsers/includes/control-browsing-behavior.md +++ /dev/null @@ -1,90 +0,0 @@ - -# Control browsing behavior -This section explains how to contol the behavior of Microsoft Edge in certain circumstances. Besides changing how sites deplay and the look and feel of the browser itself, you can also change how the browser behaves, for example, you can change the settings for security. - - - -## Security settings - -## Cookies - -[configure-cookies-include](../edge/includes/configure-cookies-include.md) - -## Search engine settings -...shortdesc of search engines...how admins can control the default search engine... - -### Allow address bar suggestions -[allow-address-bar-suggestions-include](../edge/includes/allow-address-bar-suggestions-include.md) - -[configure-search-suggestions-address-bar-include](../edge/includes/configure-search-suggestions-address-bar-include.md) - -[allow-search-engine-customization-include](../edge/includes/allow-search-engine-customization-include.md) - -[configure-additional-search-engines-include](../edge/includes/configure-additional-search-engines-include.md) - -[set-default-search-engine-include](../edge/includes/set-default-search-engine-include.md) - - - - -## Extensions -Extensions allow you to add features and functionality directly into the browser itself. Choose from a range of extensions from the Microsoft Store. - - - -[Allow Extensions](../edge/available-policies.md#allow-extensions) - -[allow-sideloading-extensions-include](../edge/includes/allow-sideloading-extensions-include.md) - -[prevent-turning-off-required-extensions-include](../edge/includes/prevent-turning-off-required-extensions-include.md) - -## Home button settings -The Home page... - - -### Scenarios -You can specify www.bing.com or www.google.com as the startup pages for Microsoft Edge using "HomePages" (MDM) or Configure Start Pages (GP). You can also enable the Disable Lockdown of Start pages (GP) policy or set the the DisableLockdownOfStartPages (MDM) setting to 1 allowing users to change the Microsoft Edge start options. Additionally, you can enable the Disable Lockdown of Start Pages or set the DisableLockdownOfStartPages to 2 locking down the IT-provided URLs, but allowing users to add or remove additional URLs. Users cannot switch Startup setting to another, for example, to load New Tab page or "previous pages" at startup. - -### Configuration combinations - -| **Configure Home Button** | **Set Home Button URL** | **Unlock Home Button** | **Results** | -|---------------------------------|-------------------------|------------------------|---------------------------------| -| Not configured (0/Null default) | N/A | N/A | Shows home button and loads the Start page. | -| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and prevent users from making changes to it. | -| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and let users from making changes to it. | -| Enabled (2) | Enabled | Disabled (0 default) | Shows home button, loads custom URL defined in the Set Home Button URL policy, prevent users from changing what page loads. | -| Enabled (2) | Enabled | Enabled | Shows home button, loads custom URL defined in the Set Home Button URL policy, and allow users to change what page loads. | -| Enabled (3) | N/A | N/A | Hides home button. | ---- - -[configure-home-button-include](configure-home-button-include.md) - -[set-home-button-url-include](set-home-button-url-include.md) - -[unlock-home-button-include](unlock-home-button-include.md) - -## Start page settings - -[configure-start-pages-include](configure-start-pages-include.md) - -[disable-lockdown-of-start-pages-include](disable-lockdown-of-start-pages-include.md) - - - -## New Tab page settings - -[set-new-tab-url-include](set-new-tab-url-include.md) - -[allow-web-content-new-tab-page-include](allow-web-content-new-tab-page-include.md) - - -## Exit tasks - -[allow-clearing-browsing-data-include](allow-clearing-browsing-data-include.md) - - -## Kiosk mode - -[Configure kiosk mode](configure-microsoft-edge-kiosk-mode-include.md) - -[Configure kiosk reset after idle timeout](configure-edge-kiosk-reset-idle-timeout-include.md) diff --git a/browsers/includes/customize-look-and-feel.md b/browsers/includes/customize-look-and-feel.md deleted file mode 100644 index 5bada8092e..0000000000 --- a/browsers/includes/customize-look-and-feel.md +++ /dev/null @@ -1,2 +0,0 @@ -## Customize the look and feel - diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md index 21a3238bd5..450c65b503 100644 --- a/browsers/includes/helpful-topics-include.md +++ b/browsers/includes/helpful-topics-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + ## Helpful information and additional resources - [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) @@ -25,4 +33,4 @@ - [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx) - [Download Internet Explorer 11](https://go.microsoft.com/fwlink/p/?linkid=290956) - [Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide](https://go.microsoft.com/fwlink/p/?LinkId=760646) -- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) +- [Fix web compatibility issues using document modes and the Enterprise Mode site list](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list) diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md index 2e8b76896b..02ad5fe86d 100644 --- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md +++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/02/2018 +ms.prod: edge +ms:topic: include +--- + If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager. >[!IMPORTANT] diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md index 5937eb6bef..a18552366f 100644 --- a/browsers/includes/interoperability-goals-enterprise-guidance.md +++ b/browsers/includes/interoperability-goals-enterprise-guidance.md @@ -1,3 +1,11 @@ +--- +author: shortpatti +ms.author: pashort +ms.date: 10/15/2018 +ms.prod: edge +ms:topic: include +--- + ## Interoperability goals and enterprise guidance Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser. @@ -10,19 +18,20 @@ You must continue using IE11 if web apps use any of the following: * <meta> tags -* Enterprise mode or compatibility view to address compatibility issues +* Enterprise mode or compatibility view to addressing compatibility issues -* legacy document modes [what is this?] +* legacy document modes -If you have uninstalled IE11, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. +If you have uninstalled IE11, you can download it from the Microsoft Store or the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956). Alternatively, you can use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. >[!TIP] ->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714). +>If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy](https://go.microsoft.com/fwlink/p/?LinkId=620714). |Technology |Why it existed |Why we don't need it anymore | |---------|---------|---------| |ActiveX |ActiveX is a binary extension model introduced in 1996 which allowed developers to embed native Windows technologies (COM/OLE) in web pages. These controls can be downloaded and installed from a site and were subsequently loaded in-process and rendered in Internet Explorer. | | |Browser Helper Objects (BHO) |BHOs are a binary extension model introduced in 1997 which enabled developers to write COM objects that were loaded in-process with the browser and could perform actions on available windows and modules. A common use was to build toolbars that installed into Internet Explorer. | | -|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge will have a single “living” document mode. In order to minimize the compatibility burden, features will be tested behind switches in about:flags until they are stable and ready to be turned on by default. | +|Document modes | Starting with IE8, Internet Explorer introduced a new “document mode” with every release. These document modes could be requested via the x-ua-compatible header to put the browser into a mode which emulates legacy versions. |Similar to other modern browsers, Microsoft Edge has a single “living” document mode. To minimize the compatibility burden, we test features behind switches in about:flags until stable and ready to be turned on by default. | +--- diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 34e8b2d487..323ba3e4bd 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md index decdc115fa..2eab3c28fd 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.1), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md index bdfc8633a7..df209b5a60 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md +++ b/browsers/internet-explorer/ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md @@ -33,7 +33,7 @@ You can add individual sites to your compatibility list by using the Enterprise 1. In the Enterprise Mode Site List Manager (schema v.2), click **Add**. 2. Type the URL for the website that’s experiencing compatibility problems, like *<domain>.com* or *<domain>.com*/*<path>* into the **URL** box.

-Don't include the `http://` or `https://` designation. The tool automatically tries both versions during validation. +Don't include the `https://` or `https://` designation. The tool automatically tries both versions during validation. 3. Type any comments about the website into the **Notes about URL** box.

Administrators can only see comments while they’re in this tool. diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md index a1ba907f17..9e485e54d8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-configuration-settings-for-ie11.md @@ -52,7 +52,7 @@ After adding the `FEATURE\AUTOCONFIG\BRANDING` registry key, you can change your - **Automatic Configuration URL (.INS file) box:** Type the location of your automatic configuration script. - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `http://share/test.ins`. + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script.

**Important**
Internet Explorer 11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. If your branding changes aren't correctly deployed after running through this process, see [Auto configuration and auto proxy problems with Internet Explorer 11](auto-configuration-and-auto-proxy-problems-with-ie11.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md index 180e1100b9..8d6510713e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-detect-settings-for-ie11.md @@ -40,7 +40,7 @@ To use automatic detection, you have to set up your DHCP and DNS servers.

**No 3. In your DNS database file, create a host record named, **WPAD**. This record has the IP address of the web server storing your automatic configuration (.js, .jvs, .pac, or .ins) file.

**-OR-**

Create a canonical name (CNAME) alias record named, **WPAD**. This record has the resolved name (not the IP address) of the server storing your automatic configuration (.pac) file.

**Note**
For more information about creating a **WPAD** entry, see [Creating a WPAD entry in DNS](https://go.microsoft.com/fwlink/p/?LinkId=294651).  -4. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `http://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. +4. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file.

**Note**
Internet Explorer 11 creates a default URL template based on the host name, **wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file.   diff --git a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md index 99f85f37b8..a0e95c8fac 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md @@ -30,7 +30,7 @@ You can use your Internet settings (.ins) files to set up your standard proxy se - **Automatic Configuration URL (.INS file) box:** Type the location of the .ins file you want to use for automatic configuration. For more information about setting up **Automatic Configuration**, see [Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md). - - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `http://share/test.ins`. + - **Automatic proxy URL (.JS, .JVS, or .PAC file) box:** Type the location of your automatic proxy script. This script runs whenever IE11 makes a network request and can include multiple proxy servers for each protocol type.

**Important**
IE11 no longer supports using file server locations with your proxy configuration (.pac) files. To keep using your .pac files, you have to keep them on a web server and reference them using a URL, like `https://share/test.ins`. ## Locking your auto-proxy settings You have two options to restrict your users' ability to override the automatic configuration settings, based on your environment. diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 201c1903c2..5d6a571e4a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -21,7 +21,7 @@ ms.date: 07/27/2017 Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. >**Upgrade Analytics and Windows upgrades**
->You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-analytics-get-started). +>You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-get-started). ## Before you begin diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md index 3d85d5801b..145c439f02 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -50,11 +50,11 @@ Employees assigned to the Requester role can create a change request. A change r - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. - - **App location (URL).** The full URL location to the app, starting with http:// or https://. + - **App location (URL).** The full URL location to the app, starting with https:// or https://. - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. - - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx). + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/library/cc288325(v=vs.85).aspx). 4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md index d6ea666402..ef14f9f67f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md +++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md @@ -41,7 +41,7 @@ Deploying pinned websites in MDT 2013 is a 4-step process: Pinned websites are immediately available to every user who logs on to the computer although the user must click each icon to populate its Jump List. **Important**
-To follow the examples in this topic, you’ll need to pin the Bing (http://www.bing.com/) and MSN (http://www.msn.com/) websites to the taskbar. +To follow the examples in this topic, you’ll need to pin the Bing (https://www.bing.com/) and MSN (https://www.msn.com/) websites to the taskbar. ### Step 1: Creating .website files The first step is to create a .website file for each website that you want to pin to the Windows 8.1 taskbar during deployment. A .website file is like a shortcut, except it’s a plain text file that describes not only the website’s URL but also how the icon looks. @@ -78,7 +78,7 @@ After your operating system is installed on the target computer, you need to cop 4. Rename the newly created item to *Copy Files* and move it up to the top of the **Postinstall** folder. -5. In the **Command Line** box enter the following text, `xcopy “%DEPLOYROOT%\$OEM$\$1” “%OSDisk%\” /yqe`. +5. In the **Command Line** box enter the following text, `xcopy "%DEPLOYROOT%\$OEM$\$1" "%OSDisk%\" /yqe`. 6. Click the **Apply** button to save your changes. diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md index 154ad6670a..307614576b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md @@ -28,7 +28,7 @@ If you don't want to use the Enterprise Mode Site List Manager, you also have th The following is an example of the Enterprise Mode schema v.1. This schema can run on devices running Windows 7 and Windows 8.1. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like `contoso.com` automatically applies to both https://contoso.com and https://contoso.com. ``` xml @@ -131,11 +131,11 @@ This table includes the elements used by the Enterprise Mode schema.

Example 

 <emie>
-  <domain exclude="false">fabrikam.com
-    <path exclude="true">/products</path>
+  <domain exclude="true">fabrikam.com
+    <path exclude="false">/products</path>
   </domain>
 </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com doesn't use IE8 Enterprise Mode, but https://fabrikam.com/products does. Internet Explorer 11 and Microsoft Edge @@ -159,7 +159,7 @@ This table includes the attributes used by the Enterprise Mode schema. <exclude> -Specifies the domain or path that is excluded from getting the behavior applied. This attribute is supported on the <domain> and <path> elements. +Specifies the domain or path excluded from applying the behavior and is supported on the <domain> and <path> elements.

Example 

 <emie>
@@ -167,7 +167,7 @@ This table includes the attributes used by the Enterprise Mode schema.
     <path exclude="true">/products</path>
   </domain>
 </emie>

-Where http://fabrikam.com doesn't use IE8 Enterprise Mode, but http://fabrikam.com/products does. +Where https://fabrikam.com uses IE8 Enterprise Mode, but https://fabrikam.com/products does not. Internet Explorer 11 and Microsoft Edge @@ -203,7 +203,7 @@ For example, say you want all of the sites in the contoso.com domain to open usi ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, `http://`, `https://`, or custom protocols. They break parsing. +- Don’t use protocols. For example, `https://`, `https://`, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. @@ -230,4 +230,4 @@ If you want to target specific sites in your organization. |You can specify subdomains in the domain tag. |<docMode>
<domain docMode="5">contoso.com</domain>
<domain docMode="9">info.contoso.com</domain>
<docMode> |

  • contoso.com uses document mode 5.
  • info.contoso.com uses document mode 9.
  • test.contoso.com also uses document mode 5.
| |You can specify exact URLs by listing the full path. |<emie>
<domain exclude="false">bing.com</domain>
<domain exclude="false" forceCompatView="true">contoso.com</domain>
<emie>|
  • bing.com uses IE8 Enterprise Mode.
  • contoso.com uses IE7 Enterprise Mode.
| |You can nest paths underneath domains. |<emie>
<domain exclude="true">contoso.com
<path exclude="false">/about</path>
<path exclude="true">
/about/business</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, except contoso.com/about/business, which will load in the default version of IE.
| -|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
| \ No newline at end of file +|You can’t add a path underneath a path. The file will still be parsed, but the sub-path will be ignored. |<emie>
<domain exclude="true">contoso.com
<path>/about
<path exclude="true">/business</path>
</path>
</domain>
</emie> |
  • contoso.com will use the default version of IE.
  • contoso.com/about and everything underneath that node will load in Enterprise Mode, including contoso.com/about/business because the last rule is ignored.
| diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 354fe81545..d9689c000a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -38,7 +38,7 @@ You can continue to use the v.1 version of the schema on Windows 10, but you wo The following is an example of the v.2 version of the Enterprise Mode schema. **Important**
-Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol when adding your URLs. Using a URL like ``, automatically applies to both https://contoso.com and https://contoso.com.   ``` xml @@ -198,7 +198,7 @@ The <url> attribute, as part of the <site> element in the v.2 versio <site url="contoso.com/travel"> <open-in allow-redirect="true">IE11</open-in> </site> -In this example, if http://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. +In this example, if https://contoso.com/travel is encountered in a redirect chain in Microsoft Edge, it will be opened in Internet Explorer. Internet Explorer 11 and Microsoft Edge @@ -210,14 +210,14 @@ In this example, if http://contoso.com/travel is encountered in a redirect chain url Specifies the URL (and port number using standard port conventions) to which the child elements apply. The URL can be a domain, sub-domain, or any path URL.
Note
-Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both http://contoso.com and https://contoso.com. +Make sure that you don't specify a protocol. Using <site url="contoso.com"> applies to both https://contoso.com and https://contoso.com.

Example 

 <site url="contoso.com:8080">
   <compat-mode>IE8Enterprise</compat-mode>
   <open-in>IE11</open-in>
 </site>
-In this example, going to http://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. +In this example, going to https://contoso.com:8080 using Microsoft Edge, causes the site to open in IE11 and load in IE8 Enterprise Mode. Internet Explorer 11 and Microsoft Edge @@ -286,7 +286,7 @@ Saving your v.1 version of the file using the new Enterprise Mode Site List Mana ### What not to include in your schema We recommend that you not add any of the following items to your schema because they can make your compatibility list behave in unexpected ways: -- Don’t use protocols. For example, http://, https://, or custom protocols. They break parsing. +- Don’t use protocols. For example, https://, https://, or custom protocols. They break parsing. - Don’t use wildcards. - Don’t use query strings, ampersands break parsing. diff --git a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md index 5d13b1b04f..7391d19ecf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md +++ b/browsers/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates.md @@ -16,15 +16,15 @@ ms.date: 05/22/2018 # Internet Explorer 11 delivery through automatic updates Internet Explorer 11 makes browsing the web faster, easier, safer, and more reliable than ever. To help customers become more secure and up-to-date, Microsoft will distribute Internet Explorer 11 through Automatic Updates and the Windows Update and Microsoft Update sites. Internet Explorer 11 will be available for users of the 32-bit and 64-bit versions of Windows 7 Service Pack 1 (SP1), and 64-bit version of Windows Server 2008 R2 SP1. This article provides an overview of the delivery process and options available for IT administrators to control how and when Internet Explorer 11 is deployed to their organization through Automatic Updates. -- [Automatic updates delivery process](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) +- [Automatic updates delivery process](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#automatic-updates-delivery-process) -- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) +- [Internet Explorer 11 automatic upgrades](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#internet-explorer-11-automatic-upgrades) -- [Options for blocking automatic delivery](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) +- [Options for blocking automatic delivery](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#options-for-blocking-automatic-delivery) -- [Availability of Internet Explorer 11](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) +- [Availability of Internet Explorer 11](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#availability-of-internet-explorer-11) -- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) +- [Prevent automatic installation of Internet Explorer 11 with WSUS](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/ie11-delivery-through-automatic-updates#prevent-automatic-installation-of-internet-explorer-11-with-wsus) ## Automatic updates delivery process diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md index 7a95011950..37916eff52 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md @@ -16,7 +16,7 @@ Windows Server Update Services (WSUS) lets you download a single copy of the Mic **To import from Windows Update to WSUS** -1. Open your WSUS admin site. For example, `http:///WSUSAdmin/`.

+1. Open your WSUS admin site. For example, `https:///WSUSAdmin/`.

Where `` is the name of your WSUS server. 2. Choose the top server node or the **Updates** node, and then click **Import Updates**. diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md index 5be58eea07..1dcf781581 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md @@ -21,7 +21,7 @@ IE11 works differently with search, based on whether your organization is domain - **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. -To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `http://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. +To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. **To enable single-word intranet search** @@ -29,7 +29,7 @@ To explicitly go to an intranet site, regardless of the environment, users can t 2. Click **Advanced**, check the **Go to an intranet site for a single word entry in the Address bar** box, and then click **OK**. -If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `http://contoso`. +If you'd like your entire organization to have single word entries default to an intranet site, you can turn on the **Go to an intranet site for a single word entry in the Address bar** Group Policy. With this policy turned on, a search for `contoso` automatically resolves to `https://contoso`.   diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md index d365ac1e78..0b64ef876d 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md @@ -33,7 +33,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manag |Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data |Administrative Templates\Windows Components\Internet Explorer\Delete Browsing History |At least Windows Internet Explorer 9 |**In Internet Explorer 9 and Internet Explorer 10:**
This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection data, which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking Protection. In addition, Tracking Protection data is also collected if users turn on the **Personalized Tracking Protection List**, which blocks third-party items while the user is browsing.

**In IE11:**
This policy setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions, stored in the **Delete Browsing History** dialog box, for visited websites.

If you enable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is preserved when the user clicks **Delete**.

If you disable this policy setting, ActiveX Filtering, Tracking Protection and Do Not Track data is deleted when the user clicks **Delete**.

If you don’t configure this policy setting, users can turn this feature on and off, determining whether to delete ActiveX Filtering, Tracking Protection, and Do Not Track data when clicking **Delete**. | |Send all sites not included in the Enterprise Mode Site List to Microsoft Edge |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether to open all sites that aren’t specified to open in IE11 by the Enterprise Mode site list, to open in Microsoft Edge.

If you enable this policy setting, you must also enable the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode site list.

If you disable or don't configure this policy setting, all sites will open based on the currently active browser.

**Note:**
If you’ve also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. | |Show message when opening sites in Microsoft Edge using Enterprise Mode |Administrative Templates\Windows Components\Internet Explorer |IE11 on Windows 10, version 1607 |This policy setting lets you decide whether employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you enable this policy setting, employees see an additional page in Internet Explorer 11, stating that a site has been opened using Microsoft Edge with Enterprise Mode.

If you disable or don't configure this policy setting, the default app behavior occurs and no additional page appears. | -|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. | +|Turn off automatic download of the ActiveX VersionList |Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management |At least Windows Internet Explorer 8 |This policy setting allows you to decide whether Internet Explorer automatically downloads updated versions of Microsoft's VersionList.XML file. This file tells Internet Explorer whether to stop specific ActiveX controls from loading.

If you enable this policy setting, Internet Explorer stops automatically downloading updated versions of the VersionList.XML file.

If you disable or don’t configure this setting, Internet Explorer continues to download updated versions of the VersionList.XML file.

**Important:**
Stopping this file from updating breaks the out-of-date ActiveX control blocking feature, potentially compromising the security of the device. For more info, see the Out-of-Date ActiveX Control Blocking (https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking) topic. | |Turn off loading websites and content in the background to optimize performance |Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page |IE11 on Windows 10 |This policy setting determines whether Internet Explorer preemptively loads websites and content in the background, speeding up performance such that when the user clicks a hyperlink, the background page seamlessly switches into view.

If you enable this policy setting, IE doesn't load any websites or content in the background.

If you disable this policy setting, IE preemptively loads websites and content in the background.

If you don’t configure this policy setting, users can turn this behavior on or off, using IE settings. This feature is turned on by default. | |Turn off phone number detection |Administrative Templates\Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing |IE11 on Windows 10 |This policy setting determines whether phone numbers are recognized and turned into hyperlinks, which can be used to invoke the default phone application on the system.

If you enable this policy setting, phone number detection is turned off. Users won’t be able to modify this setting.

If you disable this policy setting, phone number detection is turned on. Users won’t be able to modify this setting.

If you don't configure this policy setting, users can turn this behavior on or off, using IE settings. The default is on. | |Turn off sending URL path as UTF-8 |User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Settings\URL Encoding |At least Windows Internet Explorer 7 |This policy setting determines whether to let IE send the path portion of a URL using the UTF-8 standard. This standard defines characters so they're readable in any language and lets you exchange Internet addresses (URLs) with characters included in any language.

If you enable this policy setting, UTF-8 is not allowed. Users won't be able to change this setting.

If you disable this policy setting, UTF-8 is allowed. Users won't be able to change this setting.

If you don't configure this policy setting, users can turn this behavior on or off. | diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md index 66a5d8b70b..a834636814 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md +++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md @@ -115,7 +115,7 @@ Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone an |--------|--------------|-------------|----------| |Turn on ActiveX control logging in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE saves log information for ActiveX controls.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the **Turn off blocking of outdated ActiveX controls for IE** or **Turn off blocking of outdated ActiveX controls for IE on specific domains** settings. | |Remove the **Run this time** button for outdated ActiveX controls in IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management`|Internet Explorer 8 through IE11 |This setting allows you stop users from seeing the **Run this time** button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the **Run this time** button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once. | -|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `http://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | +|Turn off blocking of outdated ActiveX controls for IE on specific domains |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting allows you to manage a list of domains on which IE will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in IE. Each domain entry must be formatted like one of the following:

  • **"domainname.TLD".** For example, if you want to include `*.contoso.com/*`, use "contoso.com".
  • **"hostname".** For example, if you want to include `https://example`, use "example".
  • **"file:///path/filename.htm"**. For example, use `file:///C:/Users/contoso/Desktop/index.htm`.

If you disable or don't configure this setting, the list is deleted and IE continues to block specific outdated ActiveX controls on all domains in the Internet Zone. | |Turn off blocking of outdated ActiveX controls for IE |`Administrative Templates\Windows Components\Internet Explorer\Security Features\Add-on Management` |Internet Explorer 8 through IE11 |This setting determines whether IE blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

If you enable this setting, IE stops blocking outdated ActiveX controls.

If you disable or don't configure this setting, IE continues to block specific outdated ActiveX controls. | |Remove the **Update** button in the out-of-date ActiveX control blocking notification for IE |This functionality is only available through the registry |Internet Explorer 8 through IE11 |This setting determines whether the out-of-date ActiveX control blocking notification shows the **Update** button. This button points users to update specific out-of-date ActiveX controls in IE. | @@ -145,8 +145,8 @@ Here’s a detailed example and description of what’s included in the VersionA |Source URI |File path |Product version |File version |Allowed/Blocked |Reason |EPM-compatible | |-----------|----------|----------------|-------------|----------------|-------|---------------| -|`http://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | -|`http://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | +|`https://contoso.com/test1.html` |C:\Windows\System32\Macromed\Flash\Flash.ocx |14.0.0.125 |14.0.0.125 |Allowed |Not in blocklist |EPM-compatible | +|`https://contoso.com/test2.html` |C:\Program Files\Java\jre6\bin\jp2iexp.dll |6.0.410.2 |6.0.410.2 |Blocked |Out of date |Not EPM-compatible | **Where:** - **Source URI.** The URL of the page that loaded the ActiveX control. diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md index 8653264774..a72a457d0a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md @@ -111,7 +111,7 @@ The required packages are automatically downloaded and included in the solution. 1. Open a registry editor on the computer where you deployed the app, go to the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode` key, and change the **Enable** string to: - ``` "Enable"="http:///api/records/" + ``` "Enable"="https:///api/records/" ``` Where `` points to your deployment URL. @@ -125,7 +125,7 @@ The required packages are automatically downloaded and included in the solution. **To view the report results** -- Go to `http:///List` to see the report results.

+- Go to `https:///List` to see the report results.

If you’re already on the webpage, you’ll need to refresh the page to see the results. ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md index bb8a401b5c..47c4caf92b 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -176,7 +176,7 @@ Using the IIS Manager, you must restart both your Application Pool and your webs After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. **To register as an administrator** -1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. +1. Open Microsoft Edge and type your website URL into the Address bar. For example, https://emieportal:8085. 2. Click **Register now**. @@ -184,7 +184,7 @@ After you've created your database and website, you'll need to register yourself 4. Click **Administrator** from the **Role** box, and then click **Save**. -5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, https://emieportal:8085/#/EMIEAdminConsole. A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md index ea5b7d450b..ea9a56a081 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md @@ -46,9 +46,9 @@ Besides turning on this feature, you also have the option to provide a URL for E Your **Value data** location can be any of the following types: -- **URL location (like, http://www.emieposturl.com/api/records or http://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
-The `http://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. -- **Local network location (like, http://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. +- **URL location (like, https://www.emieposturl.com/api/records or https://localhost:13000)**. IE sends a POST message to the URL every time a change is made to Enterprise Mode from the **Tools** menu.

**Important**
+The `https://www.emieposturl.com/api/records` example will only work if you’ve downloaded the sample discussed in the [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) topic. If you don’t have the sample, you won’t have the web API. +- **Local network location (like, https://*emieposturl*/)**. IE sends a POST message to your specified local network location every time a change is made to Enterprise Mode from the **Tools** menu. - **Empty string**. If you leave the **Value data** box blank; your employees will be able to turn Enterprise Mode on and off from the **Tools** menu, but you won’t collect any logging data. For information about how to collect the data provided when your employees turn Enterprise Mode on or off from the **Tools** menu, see [Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md). diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index bd859900d1..61997d30d7 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -8,7 +8,7 @@ ms.prod: ie11 ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) ms.sitesec: library -ms.date: 12/04/2017 +ms.date: 10/25/2018 --- @@ -25,17 +25,15 @@ ms.date: 12/04/2017 Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). ## Available dual-browser experiences -Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: +If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically. -- Use Microsoft Edge as your primary browser. +Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11. -- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. +>[!TIP] +> If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly. -- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. +For Windows 10 and Windows 10 Mobile, Microsoft Edge is the default browser experience. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. -- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. - -For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. ## What is Enterprise Mode? Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10, Windows 8.1, and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8. Running in this mode helps to avoid many of the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. @@ -65,7 +63,7 @@ The Enterprise Mode Site List is an XML document that specifies a list of sites, Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. ### Site list xml file -This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. ```xml diff --git a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md index b31c220601..440d2c7fc1 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/auto-config-ieak11-wizard.md @@ -42,7 +42,7 @@ You can use the Domain Name System (DNS) and the Dynamic Host Configuration Prot - Type the location to your automatic proxy script file. **Note**
- If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `http://share/test.ins`. + If you specify URLs for both auto-config and auto-proxy, the auto-proxy URL will be incorporated into the .ins file. The correct form for the URL is `https://share/test.ins`. 3. Click **Next** to go to the [Proxy Settings](proxy-settings-ieak11-wizard.md) page or **Back** to go to the [Connection Settings](connection-settings-ieak11-wizard.md) page. diff --git a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md index 0752aaac38..b14d4aa1ce 100644 --- a/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md @@ -36,9 +36,9 @@ DHCP has a higher priority than DNS for automatic configuration. If DHCP provide - Open the [DHCP Administrative Tool](https://go.microsoft.com/fwlink/p/?LinkId=302212), create a new option type, using the code number 252, and then associate it with the URL to your configuration file. For detailed instructions about how to do this, see [Create an option 252 entry in DHCP](https://go.microsoft.com/fwlink/p/?LinkId=294649). **Examples:**
- `http://www.microsoft.com/webproxy.pac`
- `http://marketing/config.ins`
- `http://123.4.567.8/account.pac`

+ `https://www.microsoft.com/webproxy.pac`
+ `https://marketing/config.ins`
+ `https://123.4.567.8/account.pac`

For more detailed info about how to set up your DHCP server, see your server documentation. **To set up automatic detection for DNS servers** @@ -55,5 +55,5 @@ Create a canonical name (CNAME) alias record, named **WPAD**. This record lets y 2. After the database file propagates to the server, the DNS name, `wpad..com` resolves to the server name that includes your automatic configuration file. **Note**
-IE11 creates a default URL template based on the host name,**wpad**. For example, `http://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. +IE11 creates a default URL template based on the host name,**wpad**. For example, `https://wpad..com/wpad.dat`. Because of this, you need to set up a file or redirection point in your web server **WPAD** record, named **wpad.dat**. The **wpad.dat** record delivers the contents of your automatic configuration file. diff --git a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md index 9d4d9f6b4f..f404bf78cf 100644 --- a/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md +++ b/browsers/internet-explorer/ie11-ieak/custombranding-ins-file-setting.md @@ -16,5 +16,5 @@ Provide the URL to your branding cabinet (.cab) file. |Name |Value | Description | |-----------|--------------------------------|--------------------------------------------------------------| -|Branding |`` |The location of your branding cabinet (.cab) file. For example, http://www.<your_server>.net/cabs/branding.cab.| +|Branding |`` |The location of your branding cabinet (.cab) file. For example, https://www.<your_server>.net/cabs/branding.cab.| diff --git a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md index a4bbac4b2e..fde8b84b67 100644 --- a/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md +++ b/browsers/internet-explorer/ie11-ieak/customize-automatic-search-for-ie.md @@ -21,7 +21,7 @@ You can customize Automatic Search so that your employees can type a single word **To set up Automatic Search** -1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: http://ieautosearch/response.asp?MT=%1&srch=%2.

+1. Create a script (.asp) file that conditionally looks for search terms, and post it to an intranet server here: https://ieautosearch/response.asp?MT=%1&srch=%2.

For info about the acceptable values for the *%1* and *%2* parameters, see the [Automatic Search parameters](#automatic-search-parameters). For an example of the script file, see the [Sample Automatic Search script](#sample-automatic-search-script).

**Important**
If you aren’t using IIS in your company, you’ll need to remap this URL to your script file’s location. @@ -72,18 +72,18 @@ searchOption = Request.QueryString("srch") ' about filling out an expense report if (search = "NEW HIRE") then -Response.Redirect("http://admin/hr/newhireforms.htm") +Response.Redirect("https://admin/hr/newhireforms.htm") elseif (search = "LIBRARY CATALOG") then -Response.Redirect("http://library/catalog") +Response.Redirect("https://library/catalog") elseif (search = "EXPENSE REPORT") then -Response.Redirect("http://expense") +Response.Redirect("https://expense") elseif (search = "LUNCH MENU") then -Response.Redirect("http://cafe/menu/") +Response.Redirect("https://cafe/menu/") else ' If there is not a match, use the ' default IE autosearch server -Response.Redirect("http://auto.search.msn.com/response.asp?MT=" +Response.Redirect("https://auto.search.msn.com/response.asp?MT=" + search + "&srch=" + searchOption + "&prov=&utf8") end if diff --git a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md index e6c5587108..0e0ea99ea5 100644 --- a/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md +++ b/browsers/internet-explorer/ie11-ieak/ieak-information-and-downloads.md @@ -2,10 +2,10 @@ ms.localizationpriority: medium ms.mktglfcycl: support ms.pagetype: security -description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. +description: The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. Use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. author: shortpatti ms.author: pashort -ms.manager: elizapo +ms.manager: dougkim ms.prod: ie11 ms.assetid: title: Internet Explorer Administration Kit (IEAK) information and downloads @@ -15,8 +15,11 @@ ms.date: 05/10/2018 # Internet Explorer Administration Kit (IEAK) information and downloads +>Applies to: Windows 10 + The Internet Explorer Administration Kit (IEAK) simplifies the creation, deployment, and management of customized Internet Explorer packages. You can use the IEAK to configure the out-of-box Internet Explorer experience or to manage user settings after Internet Explorer deployment. To find more information on the IEAK, see [What IEAK can do for you](what-ieak-can-do-for-you.md). + ## Internet Explorer Administration Kit 11 (IEAK 11) [IEAK 11 documentation](index.md) diff --git a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md index 60b082565b..604489d8fc 100644 --- a/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md @@ -17,7 +17,7 @@ The **Important URLS – Home Page and Support** page of the Internet Explorer C **To use the Important URLS – Home Page and Support page** 1. In the **Add a homepage URL** box, type the URL to the page your employees go to when they click the **Home** button, and then click **Add**.

-If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses http://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. +If you add multiple **Home** pages, each page appears on a separate tab in the browser. If you don’t add a custom **Home** page, IE uses https://www.msn.com by default. If you want to delete an existing page, click the URL and then click **Remove**. 2. Check the **Retain previous Home Page (Upgrade)** box if you have employees with previous versions of IE, who need to keep their **Home** page settings when the browser is updated. diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md index c69fbd1f67..056ef076a4 100644 --- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md @@ -1,20 +1,19 @@ --- ms.localizationpriority: medium ms.mktglfcycl: plan -description: Learn about which version of the IEAK 11 you should run, based on your license agreement. +description: Learn about the version of the IEAK 11 you should run, based on your license agreement. author: pashort ms.author: shortpatti -ms.manager: elizapo ms.prod: ie11, ieak11 ms.assetid: 69d25451-08af-4db0-9daa-44ab272acc15 title: Determine the licensing version and features to use in IEAK 11 (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library -ms.date: 05/02/2018 +ms.date: 10/23/2018 --- # Determine the licensing version and features to use in IEAK 11 -In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11) (IEAK 11, the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. +In addition to the Software License Terms for the Internet Explorer Administration Kit 11 (IEAK 11, referred to as the "software"), these Guidelines further define how you may and may not use the software to create versions of Internet Explorer 11 with optional customizations (referred to as the "customized browser") for internal use and distribution in accordance with the IEAK 11 Software License Terms. IEAK 11 is for testing purposes only and is not intended to be used in a production environment. During installation, you must pick a version of IEAK 11, either **External** or **Internal**, based on your license agreement. Your version selection decides the options you can chose, the steps you follow to deploy your Internet Explorer 11 package, and how you manage the browser after deployment. @@ -26,34 +25,36 @@ During installation, you must pick a version of IEAK 11, either **External** or ## Available features by version -|Internal |External | -|------------------------------------------|------------------------------------------| -|Welcome screen |Welcome screen | -|File locations |File locations | -|Platform selection |Platform selection | -|Language selection |Language selection | -|Package type selection |Package type selection | -|Feature selection |Feature selection | -|Automatic Version Synchronization (AVS) |Automatic Version Synchronization (AVS) | -|Custom components |Custom components | -|Internal install |Not available | -|User experience |Not available | -|Browser user interface |Browser user interface | -|Search providers |Search providers | -|Important URLs – Home page and support |Important URLs – Home page and support | -|Accelerators |Accelerators | -|Favorites, Favorites bar, and feeds |Favorites, Favorites bar, and feeds | -|Browsing options |Not available | -|First Run wizard and Welcome page options |First Run wizard and Welcome page options | -|Connection manager |Connection manager | -|Connection settings |Connection settings | -|Automatic configuration |Not available | -|Proxy settings |Proxy settings | -|Security and privacy settings |Not available | -|Add a root certificate |Not available | -|Programs |Programs | -|Additional settings |Not available | -|Wizard complete |Wizard complete | +| Feature | Internal | External | +| ---------------------------------------- | :---------------------------------------------: | :----------------------------------------------: | +|Welcome screen | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|File locations | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Platform selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Language selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Package type selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Feature selection | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Automatic Version Synchronization (AVS) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Custom components | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Internal install | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|User experience | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|Browser user interface | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Search providers | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Important URLs – Home page and support | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Accelerators | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Favorites, Favorites bar, and feeds | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Browsing options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|First Run wizard and Welcome page options | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Connection manager | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Connection settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Automatic configuration | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|Proxy settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Security and privacy settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|Add a root certificate | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|Programs | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +|Additional settings | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Not available](https://docs.microsoft.com/microsoft-edge/deploy/images/148766.png) | +|Wizard complete | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | ![Available](https://docs.microsoft.com/microsoft-edge/deploy/images/148767.png) | +--- + ## Customization guidelines @@ -68,7 +69,7 @@ Two installation modes are available to you, depending on how you are planning t The table below identifies which customizations you may or may not perform based on the mode you selected. | **Feature Name** | **External Distribution** | **Internal Distribution** | -|---------------------------------|----------------------|-------------------| +|---------------------------------|:--------------------:|:-------------------:| | **Custom Components** | Yes | Yes | | **Title Bar** | Yes | Yes | | **Favorites** | One folder, containing any number of links. | Any number of folders/links. | @@ -96,7 +97,7 @@ Support for some of the Internet Explorer settings on the wizard pages varies de Two installation modes are available to you, depending on how you are planning to use the customized browser created with the software. Each mode requires a separate installation of the software. - **External Distribution** - You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [!INCLUDE [microsoft-browser-extension-policy-include](../../edge/microsoft-browser-extension-policy-include.md)]. + You shall use commercially reasonable efforts to maintain the quality of (i) any non-Microsoft software distributed with Internet Explorer 11, and (ii) any media used for distribution (for example, optical media, flash drives), at a level that meets or exceeds the highest industry standards. If you distribute add-ons with Internet Explorer 11, those add-ons must comply with the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). - **Internal Distribution - corporate intranet** - The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. \ No newline at end of file + The software is solely for use by your employees within your company's organization and affiliated companies through your corporate intranet. Neither you nor any of your employees may permit redistribution of the software to or for use by third parties other than for third parties such as consultants, contractors, and temporary staff accessing your corporate intranet. diff --git a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md index 9a57aef1fa..5e04f4e473 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-auto-config-examples.md @@ -127,7 +127,7 @@ In this example, the proxy server is selected by translating the host name into ``` javascript function FindProxyForURL(url, host) { - if (dnsResolve(host) == "999.99.99.999") { // = http://secproxy + if (dnsResolve(host) == "999.99.99.999") { // = https://secproxy return "PROXY secproxy:8080"; } else { diff --git a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md index c29f790845..22252bf546 100644 --- a/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/proxy-settings-ieak11-wizard.md @@ -21,7 +21,7 @@ Using a proxy server lets you limit access to the Internet. You can also use the 1. Check the **Enable proxy settings** box if you want to use proxy servers for any of your services. 2. Type the address of the proxy server you want to use for your services into the **Address of proxy** box. In most cases, a single proxy server is used for all of your services.

-Proxy locations that don’t begin with a protocol (like, http:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `http://proxy`. +Proxy locations that don’t begin with a protocol (like, https:// or ftp://) are assumed to be a CERN-type HTTP proxy. For example, the entry *proxy* is treated the same as the entry `https://proxy`. 3. Type the port for each service. The default value is *80*. @@ -30,7 +30,7 @@ Proxy locations that don’t begin with a protocol (like, http:// or ftp://) are 5. Type any services that shouldn’t use a proxy server into the **Do not use proxy server for addresses beginning with** box.

When filling out your exceptions, keep in mind: - - Proxy bypass entries can begin with a protocol type, such as http://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. + - Proxy bypass entries can begin with a protocol type, such as https://, https://, or ftp://. However, if a protocol type is used, the exception entry applies only to requests for that protocol. - Protocol values are not case sensitive and you can use a wildcard character (*) in place of zero or more characters. diff --git a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md index 0e48aa99c7..3633d298c1 100644 --- a/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/search-providers-ieak11-wizard.md @@ -25,7 +25,7 @@ The **Search Provider** box appears. 3. In the **Display Name** box, type the text that appears in the **Search Options** menu for the search provider. -4. In the **URL** box, type the full URL to the search provider, including the http:// prefix. +4. In the **URL** box, type the full URL to the search provider, including the https:// prefix. 5. In the **Favicon URL** box, type the full URL to any icon to associate with your provider. diff --git a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md index 2526c4f33b..8f9826a8b5 100644 --- a/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md +++ b/browsers/internet-explorer/ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md @@ -57,7 +57,7 @@ Internet Explorer Setup can switch servers during the installation process to ma To address connection issues (for example, as a result of server problems) where Setup can’t locate another download site by default, we recommend you overwrite your first download server using this workaround: ``` syntax -\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""http://your_Web_server/your_Web_site/ie11sites.dat""" +\ie11setup.exe /C:"ie11wzd.exe /S:""\ie11setup.exe"" /L:""https://your_Web_server/your_Web_site/ie11sites.dat""" ``` Where `` represents the folder location where you stored IE11setup.exe. diff --git a/browsers/internet-explorer/nndxczrp.ojy.json b/browsers/internet-explorer/nndxczrp.ojy.json deleted file mode 100644 index 824a00e16b..0000000000 Binary files a/browsers/internet-explorer/nndxczrp.ojy.json and /dev/null differ diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md index e1fa685f30..b314f85b52 100644 --- a/devices/hololens/TOC.md +++ b/devices/hololens/TOC.md @@ -1,8 +1,9 @@ # [Microsoft HoloLens](index.md) ## [What's new in Microsoft HoloLens](hololens-whats-new.md) -## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md) +## [Insider preview for Microsoft HoloLens](hololens-insider.md) ## [Set up HoloLens](hololens-setup.md) +## [Install localized version of HoloLens](hololens-install-localized.md) ## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md) ## [Manage updates to HoloLens](hololens-updates.md) @@ -10,8 +11,6 @@ ## [Share HoloLens with multiple people](hololens-multiple-users.md) ## [Configure HoloLens using a provisioning package](hololens-provisioning.md) ## [Install apps on HoloLens](hololens-install-apps.md) -## [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) -### [Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) -### [Microsoft Layout app](hololens-microsoft-layout-app.md) ## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) +## [How HoloLens stores data for spaces](hololens-spaces.md) ## [Change history for Microsoft HoloLens documentation](change-history-hololens.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 95f7f92bed..1fc820a243 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -9,18 +9,39 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2018 +ms.date: 11/05/2018 --- # Change history for Microsoft HoloLens documentation This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md). +## Windows 10 Holographic for Business, version 1809 + +The topics in this library have been updated for Windows 10 Holographic for Business, version 1809. + +## November 2018 + +New or changed topic | Description +--- | --- +[How HoloLens stores data for spaces](hololens-spaces.md) | New + + +## October 2018 + +New or changed topic | Description +--- | --- +[Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Removed, and redirected to [Mixed reality apps](https://docs.microsoft.com/dynamics365/#pivot=mixed-reality-apps) +[Microsoft Remote Assist app](hololens-microsoft-remote-assist-app.md) | Removed, and redirected to [Overview of Dynamics 365 Remote Assist](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/) +[Microsoft Dynamics 365 Layout app](hololens-microsoft-dynamics-365-layout-app.md) | Removed, and redirected to [Overview of Dynamics 365 Layout](https://docs.microsoft.com/dynamics365/mixed-reality/layout/) +[Insider preview for Microsoft HoloLens](hololens-insider.md) | Added instructions for opting out of Insider builds. + + ## July 2018 New or changed topic | Description --- | --- -[Insider preview for Microsoft HoloLens](hololens-insider.md) | New +Insider preview for Microsoft HoloLens | New (topic retired on release of Windows 10, version 1809) ## June 2018 diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 8210e1f2fb..bbb59099b1 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -21,40 +21,21 @@ You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/ You can use your mobile device management (MDM) provider to apply a policy that requires device encryption. The policy used is the [Security/RequireDeviceEncryption setting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-requiredeviceencryption) in the Policy CSP. -In the following steps, Microsoft Intune is used as the example. For other MDM tools, see your MDM provider's documentation for instructions. +[See instructions for enabling device encryption using Microsoft Intune.](https://docs.microsoft.com/intune/compliance-policy-create-windows#windows-holographic-for-business) -1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +For other MDM tools, see your MDM provider's documentation for instructions. If your MDM provider requires custom URI for device encryption, use the following configuration: -2. Use **Search** or go to **More services** to open the Intune blade. - -3. Go to **Device configuration > Profiles**, and select **Create profile**. - - ![Intune create profile option](images/encrypt-create-profile.png) - -4. Enter a name of your choice, select **Windows 10 and later** for the platform, select **Custom** for the profile type, and then select **Add**. - - ![Intune custom setting screen](images/encrypt-custom.png) - -5. In **Add Row OMA-URI Settings**, enter or select the following information: - - **Name**: a name of your choice - - **Description**: optional - - **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption` - - **Data type**: integer - - **Value**: `1` - - ![Intune OMA-URI settings for encryption](images/encrypt-oma-uri.png) - -6. Select **OK**, select **OK**, and then select **Create**. The blade for the profile opens automatically. - -7. Select **Assignments** to assign the profile to a group. After you configure the assignment, select **Save**. - -![Intune profile assignment screen](images/encrypt-assign.png) +- **Name**: a name of your choice +- **Description**: optional +- **OMA-URI**: `./Vendor/MSFT/Policy/Config/Security/RequireDeviceEncryption` +- **Data type**: integer +- **Value**: `1` ## Enable device encryption using a provisioning package Provisioning packages are files created by the Windows Configuration Designer tool that apply a specified configuration to a device. -### Create a provisioning package that upgrades the Windows Holographic edition +### Create a provisioning package that upgrades the Windows Holographic edition and enables encryption 1. [Create a provisioning package for HoloLens.](hololens-provisioning.md) diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md index a22acbdaf9..3a90c8fe68 100644 --- a/devices/hololens/hololens-insider.md +++ b/devices/hololens/hololens-insider.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2018 +ms.date: 10/23/2018 --- # Insider preview for Microsoft HoloLens @@ -25,75 +25,23 @@ Then, select **Active development of Windows**, choose whether you’d like to r Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build. -## New features for HoloLens - -The latest Insider Preview (RS5) has arrived for all HoloLens customers! This latest flight is packed with improvements that have been introduced since the [last major release of HoloLens software in May 2018](https://docs.microsoft.com/windows/mixed-reality/release-notes). +## How do I stop receiving Insider builds? -### For everyone - +If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](https://docs.microsoft.com/windows/mixed-reality/reset-or-recover-your-hololens#perform-a-full-device-recovery) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic. -Feature | Details | Instructions ---- | --- | --- -Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) | To start recording, select **Start > Video**. To stop recording, select **Start > Stop video**. -Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter | On **Start**, select **Connect**. Select the device you want to project to. -New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. | You’ll now see notifications from apps that provide them. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). -HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. | When you’re using an immersive app, input text, select a file from the file picker, or interact with dialogs without leaving the app. -Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. | Adjust the device volume using the volume up/down buttons located on the right arm of the HoloLens. Use the visual display to track the volume level. -New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. | Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. -Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. | Capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge). Select a nearby Windows device to share with. -Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. | In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. +To verify that your HoloLens is running a production build: +- Go to **Settings > System > About**, and find the build number. +- If the build number is 10.0.17763.1, your HoloLens is running a production build. [See the list of production build numbers.](https://www.microsoft.com/itpro/windows-10/release-information) -### For developers - -- Support for Holographic [Camera Capture UI API](https://docs.microsoft.com/windows/uwp/audio-video-camera/capture-photos-and-video-with-cameracaptureui), which will let developers expose a way for users to seamlessly invoke camera or video capture from within their applications. For example, users can now capture and insert photo or video content directly within apps like Word. -- Mixed Reality Capture has been improved to exclude hidden mesh from captures, which means videos captures by apps will no longer contain black corners around the content. - -### For commercial customers +To opt out of Insider builds: +- On a HoloLens running a production build, go to **Settings > Update & Security > Windows Insider Program**, and select **Stop Insider builds**. +- Follow the instructions to opt out your device. -Feature | Details | Instructions ---- | --- | --- -Enable post-setup provisioning | Can now apply a runtime provisioning package at any time using **Settings**. | On your PC:

1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md).
2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC.
3. Drag and drop the provisioning package to the Documents folder on the HoloLens.

On your HoloLens:

1. Go to **Settings > Accounts > Access work or school**.
2. In **Related Settings**, select **Add or remove a provisioning package**.
3. On the next page, select **Add a package** to launch the file picker and select your provisioning package.
**Note:** if the folder is empty, make sure you select **This Device** and select **Documents**.
After your package has been applied, it will show in the list of Installed packages. To view package details or to remove the package from the device, select the listed package. -Assigned access with Azure AD groups | Flexibility to use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. | Prepare XML file to configure Assigned Access on PC:

1. In a text editor, open [the provided file AssignedAccessHoloLensConfiguration_AzureADGroup.xml](#xml).
2. Change the group ID to one available in your Azure AD tenant. You can find the group ID of an Azure Active Directory Group by either :
- following the steps at [Azure Active Directory version 2 cmdlets for group management](https://docs.microsoft.com/azure/active-directory/active-directory-accessmanagement-groups-settings-v2-cmdlets),
OR
- in the Azure portal, with the steps at [Manage the settings for a group in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-groups-settings-azure-portal).

**Note:** The sample configures the following apps: Skype, Learning, Feedback Hub, Flow, Camera, and Calibration.

Create provisioning package with WCD:

1. On a PC, follow the steps at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md) to create a provisioning package.
2. Ensure that you include the license file in **Set up device**.
3. Select **Switch to advanced editor** (bottom left), and **Yes** for warning prompt.
4. Expand the runtime settings selection in the **Available customizations** panel and select **AssignedAccess > MultiAppAssignedAccessSettings**.
5. In the middle panel, you should now see the setting displayed with documentation in the panel below. Browse to the XML you modified for Assigned Access.
6. On the **Export** menu, select **Provisioning package**.
**Warning:** If you encrypt the provisioning package, provisioning the HoloLens device will fail.
7. Select **Next** to specify the output location where you want the provisioning package to go once it's built.
8. Select **Next**, and then select **Build** to start building the package.
9. When the build completes, select **Finish**.

Apply the package to HoloLens:

1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). HoloLens will show up as a device in File Explorer on the PC.
2. In File Explorer, drag and drop the provisioning package (.ppkg) onto the device storage.
3. Briefly press and release the **Volume Down** and **Power** buttons simultaneously again while on the fit page.
4. The device will ask you if you trust the package and would like to apply it. Confirm that you trust the package.
5. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.

Enable assigned access on HoloLens:

1. After applying the provisioning package, during the **Account Setup** flows in OOBE, select **My work or school owns this** to set up your device with an Azure AD account.
**Note:** This account must not be in the group chosen for Assigned Access.
2. Once you reach the Shell, ensure the Skype app is installed either via your MDM environment or from the Store.
3. After the Skype app is installed, sign out.
4. On the sign-in screen, select the **Other User** option and enter an Azure AD account email address that belongs to the group chosen for Assigned Access. Then enter the password to sign in. You should now see this user with only the apps configured in the Assigned Access profile. -PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. -Sign in with Web Cred Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. Look for additional web sign-in methods coming in the future. | From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  -Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view HoloLens device serial number. -Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. | Refer to your MDM documentation for feature availability, and for how to use your MDM console to view and set your HoloLens device name (rename). - -### For international customers - - -Feature | Details | Instructions ---- | --- | --- -Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. | See below. - -#### Installing the Chinese or Japanese versions of the Insider builds - -In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). - ->[!IMPORTANT] ->Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. - -1. On a retail HoloLens device, [opt in to Insider Preview builds](#get-insider) to prepare your device for the RS5 Preview. -2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). -3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololenspreviewdownload-ch) or [Japanese](https://aka.ms/hololenspreviewdownload-jp). -4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. -5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  -6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. -7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) -8. Select **Install software** and follow the instructions to finish installing. -9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. - -When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is. - -## Note for language support - -- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. -- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English). ## Note for developers -You are welcome and encouraged to try developing your applications using this build of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with this latest build of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. +You are welcome and encouraged to try developing your applications using Insider builds of HoloLens. Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens. You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development. ## Provide feedback and report issues @@ -102,75 +50,3 @@ Please use [the Feedback Hub app](https://docs.microsoft.com/windows/mixed-reali >[!NOTE] >Be sure to accept the prompt that asks whether you’d like Feedback Hub to access your Documents folder (select **Yes** when prompted). - -## AssignedAccessHoloLensConfiguration_AzureADGroup.xml - -Copy this sample XML to use for the [**Assigned access with Azure AD groups** feature](#for-commercial-customers). - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - - - - - - - - -``` - diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md index 0799523310..05d7673aa2 100644 --- a/devices/hololens/hololens-install-apps.md +++ b/devices/hololens/hololens-install-apps.md @@ -8,7 +8,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 09/11/2018 +ms.date: 10/23/2018 --- # Install apps on HoloLens @@ -55,7 +55,8 @@ The method that you use to install an app from your Microsoft Store for Business ## Use MDM to deploy apps to HoloLens - +>[!IMPORTANT] +>Online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. Instead, you can use your MDM provider to deploy MDM-hosted apps to HoloLens, or deploy offline-licensed apps to HoloLens via Store for Business You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps). @@ -63,8 +64,6 @@ You can deploy UWP apps to HoloLens using your MDM provider. For Intune instruct Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune). ->[!TIP] ->In Windows 10, version 1607, online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. [Update your HoloLens to a later build](https://support.microsoft.com/help/12643/hololens-update-hololens) for this capability. ## Use the Windows Device Portal to install apps on HoloLens @@ -80,15 +79,13 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft. >[!TIP] >If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate). -4. In the Windows Device Portal, click **Views** and select **Apps**. +4. In the Windows Device Portal, click **Apps**. ![App Manager](images/apps.png) -5. Click **Add** to open the **Deploy or Install Application dialog**. +5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, such as dependency frameworks, select **I want to specify framework packages**. -6. Select an **app package** from a folder on your computer or network. If the app package requires additional software or framework packages, click **I want to specify framework packages**. - -7. Click **Next** to deploy the app package and added dependencies to the connected HoloLens. +6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens. diff --git a/devices/hololens/hololens-install-localized.md b/devices/hololens/hololens-install-localized.md new file mode 100644 index 0000000000..8e5a72150a --- /dev/null +++ b/devices/hololens/hololens-install-localized.md @@ -0,0 +1,35 @@ +--- +title: Install localized versions of HoloLens (HoloLens) +description: Learn how to install the Chinese or Japanese versions of HoloLens +ms.prod: hololens +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 11/13/2018 +--- + +# Install localized versions of HoloLens + +In order to switch to the Chinese or Japanese version of HoloLens, you’ll need to download the build for the language on a PC and then install it on your HoloLens using the Windows Device Recovery Tool (WDRT). + +>[!IMPORTANT] +>Installing the Chinese or Japanese builds of HoloLens using WDRT will delete existing data, like personal files and settings, from your HoloLens. + + +2. On your PC, download and install [the Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379). +3. Download the package for the language you want to your PC: [Simplified Chinese](https://aka.ms/hololensdownload-ch) or [Japanese](https://aka.ms/hololensdownload-jp). +4. When the download is finished, select **File Explorer > Downloads**. Right-click the zipped folder you just downloaded, and select **Extract all... > Extract** to unzip it. +5. Connect your HoloLens to your PC using the micro-USB cable it came with. (Even if you've been using other cables to connect your HoloLens, this one works best.)  +6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile. +7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.) +8. Select **Install software** and follow the instructions to finish installing. +9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions. + + +## Note for language support + +- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language. +- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English). diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 5e1218f90c..c888927596 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 08/14/2018 +ms.date: 11/13/2018 --- # Set up HoloLens in kiosk mode @@ -20,7 +20,17 @@ When HoloLens is configured as a multi-app kiosk, only the allowed apps are avai Single-app kiosk mode starts the specified app when the user signs in, and restricts the user's ability to launch new apps or change the running app. When single-app kiosk mode is enabled for HoloLens, the bloom gesture and Cortana are disabled, and placed apps aren't shown in the user's surroundings. -The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. +The following table lists the device capabilities in the different kiosk modes. + +Kiosk mode | Voice and Bloom commands | Quick actions menu | Camera and video | Miracast +--- | --- | --- | --- | --- +Single-app kiosk | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![no](images/crossmark.png) +Multi-app kiosk | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) with **Home** and **Volume** (default)

Photo and video buttons shown in Quick actions menu if the Camera app is enabled in the kiosk configuration.

Miracast is shown if the Camera app and device picker app are enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app is enabled in the kiosk configuration. | ![yes](images/checkmark.png) if the Camera app and device picker app are enabled in the kiosk configuration. + +>[!NOTE] +>Use the Application User Model ID (AUMID) to allow apps in your kiosk configuration. The Camera app AUMID is `HoloCamera_cw5n1h2txyewy!HoloCamera`. The device picker app AUMID is `HoloDevicesFlow_cw5n1h2txyewy!HoloDevicesFlow`. + +The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) enables kiosk configuration. >[!WARNING] >The assigned access feature which enables kiosk mode is intended for corporate-owned fixed-purpose devices. When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all [the enforced policies](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#policies-set-by-multi-app-kiosk-configuration). A factory reset is needed to clear all the policies enforced via assigned access. @@ -145,7 +155,8 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest* ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png) - +8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** > **Accounts** > **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed. +8. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** > **Accounts** > **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**. 8. On the **File** menu, select **Save.** 9. On the **Export** menu, select **Provisioning package**. 10. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources, and then select **Next.** diff --git a/devices/hololens/hololens-microsoft-layout-app.md b/devices/hololens/hololens-microsoft-layout-app.md deleted file mode 100644 index 4f5540e858..0000000000 --- a/devices/hololens/hololens-microsoft-layout-app.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: Microsoft Layout -description: How to get and deploy the Microsoft Layout app throughout your organization -ms.prod: hololens -ms.sitesec: library -author: alhopper-msft -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/21/2018 ---- -# Microsoft Layout - -Bring designs from concept to completion with confidence and speed. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical space or virtual reality and edit with stakeholders in real time. With Microsoft Layout, see ideas in context, saving valuable time and money. - -## Device options and technical requirements - -Below are the device options, and technical requirements, to use and deploy Microsoft Layout throughout your organization. - -### Device options - -Microsoft Layout works with a HoloLens, or with a Windows Mixed Reality headset with motion controllers. - -#### HoloLens requirements - -| OS requirements | Details | -|:----------------------------------|:-----------------------------------------------------------| -| Build 10.0.17134.77 or above | See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens) for instructions on upgrading to this build. | - -#### Windows Mixed Reality headset requirements - -| Requirements | Details | -|:----------------------------------------------|:-----------------------------------------------------------| -| Windows 10 PC with build 16299.0 or higher | The Windows 10 PC hardware must be able to support the headset. See [Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) for specific hardware requirements. We recommend following the **Windows Mixed Reality Ultra** hardware guidelines. | -| Motion controllers | Motion controllers are hardware accessories that allow users to take action in mixed reality. See [Motion controllers](https://docs.microsoft.com/en-us/windows/mixed-reality/motion-controllers) to learn more. | - -### Technical requirements - -Have the following technical requirements in place to start using Microsoft Layout. - -| Requirement | Details | Learn more | -|:----------------------------------|:------------------|:------------------| -| Azure Active Directory (Azure AD) | Required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can also install Layout on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | -| Network connectivity | Internet access is required to download the app, and utilize all of its features. There are no bandwidth requirements. | | -| Apps for sharing | Video calling or screen sharing requires a separate app, such as Microsoft Remote Assist on HoloLens, or Skype or Skype for Business on Windows Mixed Reality headsets.

A Windows 10 PC that meets the Windows Mixed Reality Ultra specifications is also required for video calling or screen sharing when using Layout with a Windows Mixed Reality headset. | [Remote Assist](hololens-microsoft-remote-assist-app.md)

[Windows Mixed Reality PC hardware guidelines](https://support.microsoft.com/en-us/help/4039260/windows-10-mixed-reality-pc-hardware-guidelines) | -| Import Tool for Microsoft Layout | The Import Tool for Microsoft Layout is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, so they can be viewed and edited from the HoloLens or mixed reality headset. The Import Tool is also required to transfer Visio space dimensions to the HoloLens or Windows Mixed Reality headset. | [Import Tool for Microsoft Layout](#get-and-deploy-the-import-tool-for-microsoft-layout) | - -## Get and deploy Microsoft Layout - -Microsoft Layout is available from the Microsoft Store for Business for free for a limited time: - -1. Go to the [Microsoft Layout](https://businessstore.microsoft.com/en-us/store/details/app/9NSJN53K3GFJ) app in the Microsoft Store for Business. -1. Click **Get the app**. Microsoft Layout is added to the **Products and Services** tab for your private store. -1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. - -For a limited time, users can also [Get Microsoft Layout from the Microsoft Store](https://www.microsoft.com/store/productId/9NSJN53K3GFJ) for free. - -### Get and deploy the Import Tool for Microsoft Layout - -The **Import Tool for Microsoft Layout** is a companion app for Layout that makes model optimization and management easy. The Import Tool runs on Windows 10 PCs, and is required to transfer existing 3D models from your PC to Microsoft Layout, for viewing and editing on Microsoft HoloLens or a Windows Mixed Reality headset. - -The companion app is available in both the Microsoft Store for Business, and the Microsoft Store, for free for a limited time: - -* [Get the Microsoft Layout Import Tool](https://businessstore.microsoft.com/en-us/store/details/app/9N88Q3RXPLP0) from the Microsoft Store for Business. See [Distribute apps to your employees from Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) for instructions on using the Microsoft Store for Business, and/or MDM, to deploy Windows 10 apps throughout your organization. -* Alternately, have your users [Get the Microsoft Layout Import Tool](https://www.microsoft.com/store/productId/9N88Q3RXPLP0) from the Microsoft Store to install the app on their Windows 10 PC. - -## Use Microsoft Layout - -For guidance on using the features of the Microsoft Layout app, please see [Set up and use Microsoft Layout](https://support.microsoft.com/help/4294437). - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/hololens-microsoft-remote-assist-app.md b/devices/hololens/hololens-microsoft-remote-assist-app.md deleted file mode 100644 index 221c650ada..0000000000 --- a/devices/hololens/hololens-microsoft-remote-assist-app.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Microsoft Remote Assist -description: How to get and deploy the Microsoft Remote Assist app throughout your organization -ms.prod: hololens -ms.sitesec: library -author: alhopper-msft -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/22/2018 ---- -# Microsoft Remote Assist - -Collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. Firstline workers can share what they see with any expert on Microsoft Teams, while staying hands on to solve problems and complete tasks together, faster. Backed by enterprise-level security, Microsoft Remote Assist enables communication with peace of mind. - -## Technical requirements - -Below are the technical requirements to deploy and use Microsoft Remote Assist throughout your organization. - -### Device requirements - -| Device | OS requirements | Details | -|:---------------------------|:----------------------------------|:-----------------------------------------------------------| -| HoloLens | Build 10.0.14393.0 or above | See [Manage updates to HoloLens](https://docs.microsoft.com/en-us/HoloLens/hololens-updates) for instructions on using Windows Update for Business, MDM, and Windows Server Update Service (WSUS) to deploy updates to HoloLens. | -| Windows 10 PC (optional) | Any Windows 10 build | A Windows 10 PC can collaborate with the HoloLens using Microsoft Teams. | - -> [!Note] -> HoloLens build 10.0.14393.0 is the minimum that supports Remote Assist. We recommend updating the HoloLens to newer versions when they are available. - -### Licensing & product requirements - -| Product required | Details | Learn more | -|:----------------------------------|:------------------|:------------------| -| Azure Active Directory (Azure AD) | Required to log users into the Remote Assist app through Microsoft Teams. Also required for app distribution through the [Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/sign-up-microsoft-store-for-business). If you choose not to distribute the app through the Microsoft Store for Business, users can alternately install Remote Assist on a HoloLens or PC from the [Microsoft Store](https://www.microsoft.com/en-us/store/apps). | [Get started with Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/get-started-azure-ad) | -| Microsoft Teams | Microsoft Teams facilitates communication in Remote Assist. Microsoft Teams must be installed on any device that will make calls to the HoloLens. | [Overview of Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/teams-overview) | -| Microsoft Office 365 | Because Microsoft Teams is part of Office 365, each user who will make calls from their PC/phone to the HoloLens will need an Office 365 license. | [Office 365 licensing for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/office-365-licensing) | - -### Network requirements - -1.5 MB/s is the recommended bandwidth for optimal performance of Microsoft Remote Assist. Though audio/video calls may be possible in environments with reduced bandwidth, you may experience HoloLens feature degradation, limiting the user experience. To test your company’s network bandwidth, follow these steps: - - 1. Have a Teams user video call another Teams user. - 2. Add another separate video call between a 3rd and 4th user, and another for a 5th and 6th user. - 3. Continue adding video callers to stress test your network bandwidth until confident that multiple users can successfully connect on video calls at the same time. - -See [Preparing your organization's network for Microsoft Teams](https://docs.microsoft.com/en-us/MicrosoftTeams/prepare-network) to learn more. - -## Get and deploy Microsoft Remote Assist - -Microsoft Remote Assist is available from the Microsoft Store for Business for free for a limited time: - -1. Go to the [Microsoft Remote Assist](https://businessstore.microsoft.com/en-us/store/details/app/9PPJSDMD680S) app in the Microsoft Store for Business. -1. Click **Get the app**. Microsoft Remote Assist is added to the **Products and Services** tab for your private store. -1. Users can open the **Products and Services** tab to install the app to their device, or you can deploy the app throughout your organization using MDM. See [Install apps on HoloLens](hololens-install-apps.md) for further instructions on deploying apps. - -For a limited time, users can also [Get Microsoft Remote Assist from the Microsoft Store](https://www.microsoft.com/store/productId/9PPJSDMD680S) for free. - -## Use Microsoft Remote Assist - -For guidance on using the features of the Microsoft Remote Assist app, please see [Set up and use Microsoft Remote Assist](https://support.microsoft.com/en-us/help/4294812). - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index c1a90edadb..00a7436e23 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 11/13/2018 --- # Configure HoloLens using a provisioning package @@ -49,8 +49,7 @@ Provisioning packages can include management instructions and policies, customiz > [!TIP] > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc. -> ->![open advanced editor](images/icd-simple-edit.png) + ### Create the provisioning package @@ -77,8 +76,8 @@ Use the Windows Configuration Designer tool to create a provisioning package. ![step two](images/two.png) ![set up network](images/set-up-network.png)

Toggle **On** or **Off** for wireless network connectivity. If you select **On**, enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.![Enter network SSID and type](images/set-up-network-details-desktop.png) ![step three](images/three.png) ![account management](images/account-management.png)

You can enroll the device in Azure Active Directory, or create a local account on the device

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local account, select that option and enter a user name and password.

**Important:** (For Windows 10, version 1607 only) If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Azure AD or create a local account](images/account-management-details.png) ![step four](images/four.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](images/add-certificates-details.png) -![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)![Enable Developer Mode](images/developer-setup-details.png) -![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.![Protect your package](images/finish-details.png) +![step five](images/five.png) ![Developer Setup](images/developer-setup.png)

Toggle **Yes** or **No** to enable Developer Mode on the HoloLens. [Learn more about Developer Mode.](https://docs.microsoft.com/windows/uwp/get-started/enable-your-device-for-development#developer-mode)![Enable Developer Mode](images/developer-setup-details.png) +![step six](images/six.png) ![finish](images/finish.png)

Do not set a password to protect your provisioning package. If the provisioning package is protected by a password, provisioning the HoloLens device will fail.![Protect your package](images/finish-details.png) After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. @@ -137,7 +136,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa 10. When the build completes, click **Finish**. -## Apply a provisioning package to HoloLens +## Apply a provisioning package to HoloLens during setup 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box). @@ -156,6 +155,23 @@ After you're done, click **Create**. It only takes a few seconds. When the packa >[!NOTE] >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package. +## Apply a provisioning package to HoloLens after setup + +>[!NOTE] +>Windows 10, version 1809 only + +On your PC: +1. Create a provisioning package as described at [Create a provisioning package for HoloLens using the HoloLens wizard](hololens-provisioning.md). +2. Connect the HoloLens device via USB to a PC. HoloLens will show up as a device in File Explorer on the PC. +3. Drag and drop the provisioning package to the Documents folder on the HoloLens. + +On your HoloLens: +1. Go to **Settings > Accounts > Access work or school**. +2. In **Related Settings**, select **Add or remove a provisioning package**. +3. On the next page, select **Add a package** to launch the file picker and select your provisioning package. If the folder is empty, make sure you select **This Device** and select **Documents**. + +After your package has been applied, it will show in the list of **Installed packages**. To view package details or to remove the package from the device, select the listed package. + ## What you can configure Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). diff --git a/devices/hololens/hololens-public-preview-apps.md b/devices/hololens/hololens-public-preview-apps.md deleted file mode 100644 index e3a966f008..0000000000 --- a/devices/hololens/hololens-public-preview-apps.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: Preview new mixed reality apps for HoloLens -description: Here's how to download and distribute new mixed reality apps for HoloLens, free for a limited time during public preview -ms.prod: hololens -ms.sitesec: library -author: alhopper -ms.author: alhopper -ms.topic: article -ms.localizationpriority: medium -ms.date: 05/21/2018 ---- -# Preview new mixed reality apps for HoloLens - -Microsoft has just announced two new mixed reality apps coming to HoloLens: Microsoft Remote Assist and Microsoft Layout. - -The gap between the real and digital world limits our ability to take advantage of new technologies and transform how we work, learn, create, communicate, and live. **Mixed reality is here to close that gap**. - -Mixed reality has the potential to help customers and businesses across the globe do things that until now, have never been possible. Mixed reality helps businesses and employees complete crucial tasks faster, safer, more efficiently, and create new ways to connect to customers and partners. - -Ready to get started? Check out the links below to learn more about how you can download and deploy Microsoft's new commercial-focused mixed reality apps. - -## In this section - -| Topic | Description | -| --- | --- | -| [Microsoft Remote Assist](hololens-microsoft-remote-assist-app.md) | Microsoft Remote Assist enables collaboration in mixed reality to solve problems faster. Firstline workers can collaborate remotely with heads-up, hands-free video calling, image sharing, and mixed reality annotations. They can share what they see with an expert on Microsoft Teams, while staying hands-on to solve problems and complete tasks together, faster. | -| [Microsoft Layout](hololens-microsoft-layout-app.md ) | Bring designs from concept to completion with confidence and speed using Microsoft Layout. Import 3D models to easily create room layouts in real-world scale. Experience designs as high-quality holograms in physical or virtual space and edit in real time. With Microsoft Layout, you can see ideas in context, saving valuable time and money. | - -## Questions and support - -You can ask questions and engage with our team in the [Mixed Reality Tech Community](https://techcommunity.microsoft.com/t5/Mixed-Reality/ct-p/MixedReality). \ No newline at end of file diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md index 6912c956f4..0f62fc2e6e 100644 --- a/devices/hololens/hololens-setup.md +++ b/devices/hololens/hololens-setup.md @@ -7,7 +7,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 08/02/2018 +ms.date: 07/27/2017 --- # Set up HoloLens @@ -30,12 +30,7 @@ The HoloLens setup process combines a quick tutorial on using HoloLens with the 2. [Turn on HoloLens](https://support.microsoft.com/help/12642). You will be guided through a calibration procedure and how to perform [the gestures](https://support.microsoft.com/help/12644/hololens-use-gestures) that you will use to operate HoloLens. 3. Next, you'll be guided through connecting to a Wi-Fi network. 4. After HoloLens connects to the Wi-Fi network, you select between **My work or school owns it** and **I own it**. - - When you choose **My work or school owns it**, you sign in with an Azure AD account. - - >[!NOTE] - >[To share your HoloLens device with multiple Azure AD accounts](hololens-multiple-users.md), the HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md). - - If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). + - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens will be enrolled in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available, so you will need to [enroll HoloLens in device management manually](hololens-enroll-mdm.md#enroll-through-settings-app). 1. Enter your organizational account. 2. Accept privacy statement. 3. Sign in using your Azure AD credentials. This may redirect to your organization's sign-in page. diff --git a/devices/hololens/hololens-spaces.md b/devices/hololens/hololens-spaces.md new file mode 100644 index 0000000000..19307fdfb6 --- /dev/null +++ b/devices/hololens/hololens-spaces.md @@ -0,0 +1,69 @@ +--- +title: How HoloLens stores data for spaces (HoloLens) +description: +ms.prod: hololens +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.localizationpriority: medium +ms.date: 11/05/2018 +--- + +# How HoloLens stores data for spaces + +In the Windows 10, version 1803 update for Microsoft HoloLens, the mapping data for [spaces](https://support.microsoft.com/help/13760/hololens-spaces-on-hololens) is stored in a local database. + +The map database is not exposed to a user of the device, even when plugged into a PC or when using the File Explorer app. When BitLocker is enabled, the stored map data is also encrypted with the entire volume. + +Holograms that are anchored within the same map section are considered to be “nearby” in the current space. + + +## Frequently asked questions + +**How can I remove map data and known spaces from the HoloLens?** + +There are two options for deleting map data in **Settings > System > Holograms**: + +- Select **Remove nearby holograms** to delete nearby holograms, clearing the map data and anchored holograms for the current space. A brand new map section would be created and stored in the database for that location while the device is used there. This option can be used to clear the map data for work without affecting any map data from home, for example. +- Select **Remove all holograms** to delete all holograms, clearing all locally stored map data and anchored holograms. No holograms will be rediscovered and any holograms need to be newly placed. + +>[!NOTE] +>When you remove nearby or all holograms, HoloLens immediately starts scanning and mapping the current space. + +**How does Wi-Fi data get used by HoloLens and where is the data stored?** + +As long as Wi-Fi is enabled, map data will be correlated with nearby Wi-Fi access points. There is no difference in behavior if a network is connected or just nearby. Network characteristics are not sent to Microsoft, and all Wi-Fi references are kept local on the HoloLens. + +Wi-Fi characteristics are stored locally to help correlate hologram locations and map sections stored within HoloLens’ database of known spaces. It’s inaccessible to users, and not sent to Microsoft via the cloud or via telemetry. + + + +**Does HoloLens need to be connected to the internet?** + +No, internet connectivity is not required. Observed Wi-Fi access points are obtained without being connected or authenticated. It does not change functionality if the access points are internet connected or intranet/local only. + + + + + +**Since HoloLens no longer requires you to select a space when Wi-Fi is disabled, how does it find the space automatically?** + +If Wi-Fi is disabled, the space search can still happen; HoloLens will need to search more of the map data within the spaces database, and finding holograms can take longer. + +HoloLens will sense and remember spaces even when Wi-Fi is disabled, by securely storing the sensor data when holograms are placed. Without the Wi-Fi info, the space and holograms may be slower to recognize at a later time, as the HoloLens needs to compare active scans to all hologram anchors and map sections stored on the device in order to locate the correct portion of the map. + +HoloLens will visually compare the current scanning data from the sensors to locally stored map sections in the entire spaces database. It will locate holograms faster if the Wi-Fi characteristics can be found, to narrow down the number of spaces to compare. + + + + +  + + + +## Related topics + +- [Environment considerations for HoloLens](https://docs.microsoft.com/windows/mixed-reality/environment-considerations-for-hololens) +- [Spatial mapping design](https://docs.microsoft.com/windows/mixed-reality/spatial-mapping-design) +- [HoloLens and holograms: FAQ](https://support.microsoft.com/help/13456/hololens-and-holograms-faq) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index e10552862b..9ea1e9de34 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -14,36 +14,30 @@ ms.date: 04/30/2018 >**Looking for how to get the latest update? See [Update HoloLens](https://support.microsoft.com/help/12643/hololens-update-hololens).** -Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). - >[!NOTE] >HoloLens devices must be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md) to manage updates. +For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business). -Mobile device management (MDM) providers use the [Policy Configuration Service Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) to enable update management. +To configure how and when updates are applied, use the following policies: +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) -The Update policies supported for HoloLens are: +To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) -- [Update/RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requiredeferupgrade) -- [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) -- [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) +In Microsoft Intune, you can use **Automatic Update Behavior** to change this policy. (See [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure)) - - -Typically, devices access Windows Update directly for updates. You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead: +For devices on Windows 10, version 1607 only: You can use the following update policies to configure devices to get updates from Windows Server Update Service (WSUS) instead of Windows Update: - [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) - [Update/RequireUpdateApproval](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-requireupdateapproval) - [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) -In Microsoft Intune, use [a custom profile](https://docs.microsoft.com/intune/custom-settings-windows-holographic) to configure devices to get updates from WSUS. - - - ## Related topics -- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) \ No newline at end of file +- [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business) +- [Manage software updates in Microsoft Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure) diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md index 75556a83db..0e17d81790 100644 --- a/devices/hololens/hololens-whats-new.md +++ b/devices/hololens/hololens-whats-new.md @@ -1,18 +1,60 @@ --- title: What's new in Microsoft HoloLens (HoloLens) -description: Windows Holographic for Business gets new features in Windows 10, version 1803. +description: Windows Holographic for Business gets new features in Windows 10, version 1809. ms.prod: hololens ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 04/30/2018 +ms.date: 11/13/2018 --- # What's new in Microsoft HoloLens +## Windows 10, version 1809 for Microsoft HoloLens +### For everyone + +Feature | Details +--- | --- +Quick actions menu | When you're in an app, the Bloom gesture will now open a Quick actions menu to give you quick access to commonly used system features without having to leave the app. See [Set up HoloLens in kiosk mode](hololens-kiosk.md) for information about the Quick actions menu in kiosk mode.

![sample of the Quick actions menu](images/minimenu.png) +Stop video capture from the Start or quick actions menu | If you start video capture from the Start menu or quick actions menu, you’ll be able to stop recording from the same place. (Don’t forget, you can always do this with voice commands too.) +Project to a Miracast-enabled device | Project your HoloLens content to a nearby Surface device or TV/Monitor if using Microsoft Display adapter. On **Start**, select **Connect**, and then select the device you want to project to. **Note:** You can deploy HoloLens to use Miracast projection without enabling developer mode. +New notifications | View and respond to notification toasts on HoloLens, just like you do on a PC. Gaze to respond to or dismiss them (or if you’re in an immersive experience, use the bloom gesture). +HoloLens overlays (file picker, keyboard, dialogs, etc.) | You’ll now see overlays such as the keyboard, dialogs, file picker, etc. when using immersive apps. +Visual feedback overlay UI for volume change | When you use the volume up/down buttons on your HoloLens you’ll see a visual display of the volume level. +New UI for device boot | A loading indicator was added during the boot process to provide visual feedback that the system is loading. Reboot your device to see the new loading indicator—it’s between the "Hello" message and the Windows boot logo. +Share UX: Nearby Sharing | Addition of the Windows Nearby Sharing experience, allowing you to share a capture with a nearby Windows device. When you capture a photo or video on HoloLens (or use the share button from an app such as Microsoft Edge), select a nearby Windows device to share with. +Share from Microsoft Edge | Share button is now available on Microsoft Edge windows on HoloLens. In Microsoft Edge, select **Share**. Use the HoloLens share picker to share web content. + + + +### For administrators + + +Feature | Details +--- | --- +[Enable post-setup provisioning](hololens-provisioning.md) | You can now apply a runtime provisioning package at any time using **Settings**. +Assigned access with Azure AD groups | You can now use Azure AD groups for configuration of Windows assigned access to set up single or multi-app kiosk configuration. +PIN sign-in on profile switch from sign-in screen | PIN sign-in is now available for **Other User**.  | When signing in as **Other User**, the PIN option is now available under **Sign-In options**. +Sign in with Web Credential Provider using password | You can now select the Globe sign-in option to launch web sign-in with your password. From the sign-in screen, select **Sign-In options** and select the Globe option to launch web sign-in. Enter your user name if needed, then your password.
**Note:** You can choose to bypass any PIN/Smartcard options when prompted during web sign-in.  +Read device hardware info through MDM so devices can be tracked by serial # | IT administrators can see and track HoloLens by device serial number in their MDM console. Refer to your MDM documentation for feature availability and instructions. +Set HoloLens device name through MDM (rename) |  IT administrators can see and rename HoloLens devices in their MDM console. Refer to your MDM documentation for feature availability and instructions. + +### For international customers + + +Feature | Details +--- | --- +Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands. +Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese, and English. + +[Learn how to install the Chinese and Japanese versions of HoloLens.](hololens-install-localized.md) + + + +## Windows 10, version 1803 for Microsoft HoloLens Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes: @@ -49,6 +91,6 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for ## Additional resources - [Reset or recover your HoloLens](https://developer.microsoft.com/windows/mixed-reality/reset_or_recover_your_hololens) -- [Restart, rest, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) +- [Restart, reset, or recover HoloLens](https://support.microsoft.com/help/13452/hololens-restart-reset-or-recover-hololens) - [Manage devices running Windows Holographic with Microsoft Intune](https://docs.microsoft.com/intune/windows-holographic-for-business) diff --git a/devices/hololens/images/account-management-details.png b/devices/hololens/images/account-management-details.png index 4094dabd85..20816830a4 100644 Binary files a/devices/hololens/images/account-management-details.png and b/devices/hololens/images/account-management-details.png differ diff --git a/devices/hololens/images/account-management.PNG b/devices/hololens/images/account-management.PNG index 34165dfcd6..da53cb74b8 100644 Binary files a/devices/hololens/images/account-management.PNG and b/devices/hololens/images/account-management.PNG differ diff --git a/devices/hololens/images/add-certificates.PNG b/devices/hololens/images/add-certificates.PNG index 24cb605d1c..7a16dffd26 100644 Binary files a/devices/hololens/images/add-certificates.PNG and b/devices/hololens/images/add-certificates.PNG differ diff --git a/devices/hololens/images/developer-setup-details.png b/devices/hololens/images/developer-setup-details.png index 0a32af7ba7..d445bf5759 100644 Binary files a/devices/hololens/images/developer-setup-details.png and b/devices/hololens/images/developer-setup-details.png differ diff --git a/devices/hololens/images/developer-setup.png b/devices/hololens/images/developer-setup.png index 826fda5f25..a7e49873b0 100644 Binary files a/devices/hololens/images/developer-setup.png and b/devices/hololens/images/developer-setup.png differ diff --git a/devices/hololens/images/finish.PNG b/devices/hololens/images/finish.PNG index 7c65da1799..975caba764 100644 Binary files a/devices/hololens/images/finish.PNG and b/devices/hololens/images/finish.PNG differ diff --git a/devices/hololens/images/minimenu.png b/devices/hololens/images/minimenu.png new file mode 100644 index 0000000000..7aa0018011 Binary files /dev/null and b/devices/hololens/images/minimenu.png differ diff --git a/devices/hololens/images/set-up-device-details.PNG b/devices/hololens/images/set-up-device-details.PNG index 85b7dd382e..7325e06e86 100644 Binary files a/devices/hololens/images/set-up-device-details.PNG and b/devices/hololens/images/set-up-device-details.PNG differ diff --git a/devices/hololens/images/set-up-device.PNG b/devices/hololens/images/set-up-device.PNG index 0c9eb0e3ff..577117a26a 100644 Binary files a/devices/hololens/images/set-up-device.PNG and b/devices/hololens/images/set-up-device.PNG differ diff --git a/devices/hololens/images/set-up-network.PNG b/devices/hololens/images/set-up-network.PNG index a0e856c103..19fd3ff7bb 100644 Binary files a/devices/hololens/images/set-up-network.PNG and b/devices/hololens/images/set-up-network.PNG differ diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 786b38a1e3..9b7ed69845 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -22,9 +22,9 @@ ms.date: 07/27/2018 | Topic | Description | | --- | --- | | [What's new in Microsoft HoloLens](hololens-whats-new.md) | Discover the new features in the latest update. | -[Insider preview for Microsoft HoloLens](hololens-insider.md) | Learn about new HoloLens features available in the latest Insider Preview build. | [HoloLens in the enterprise: requirements](hololens-requirements.md) | Lists requirements for general use, Wi-Fi, and device management | | [Set up HoloLens](hololens-setup.md) | How to set up HoloLens for the first time | +[Install localized version of HoloLens](hololens-install-localized.md) | Install the Chinese or Japanese version of HoloLens | [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) | How to upgrade your Development Edition HoloLens to Windows Holographic for Business | | [Enroll HoloLens in MDM](hololens-enroll-mdm.md) | Manage multiple HoloLens devices simultaneously using solutions like Microsoft Intune | | [Manage updates to HoloLens](hololens-updates.md) | Use mobile device management (MDM) policies to configure settings for updates. | @@ -32,7 +32,6 @@ ms.date: 07/27/2018 [Share HoloLens with multiple people](hololens-multiple-users.md) | Multiple users can shared a HoloLens device by using their Azure Active Directory accounts. | | [Configure HoloLens using a provisioning package](hololens-provisioning.md) | Provisioning packages make it easy for IT administrators to configure HoloLens devices without imaging | | [Install apps on HoloLens](hololens-install-apps.md) | Use Microsoft Store for Business, mobile device management (MDM), or the Windows Device Portal to install apps on HoloLens | -| [Preview new mixed reality apps for HoloLens](hololens-public-preview-apps.md) | Download and deploy new mixed reality apps for HoloLens, free for a limited time during public preview | | [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md) | Learn how to use Bitlocker device encryption to protect files and information stored on the HoloLens | | [Change history for Microsoft HoloLens documentation](change-history-hololens.md) | See new and updated topics in the HoloLens documentation library. | diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 618afe96b7..634261a1e3 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -54,7 +54,7 @@ Additionally, these accessibility features and apps are returned to default sett ## Change accessibility settings during a meeting During a meeting, users can toggle accessibility features and apps in a couple ways: -- [Keyboard shortcuts](https://support.microsoft.com/en-us/help/13813/windows-10-microsoft-surface-hub-keyboard-shortcuts) +- [Keyboard shortcuts](https://support.microsoft.com/help/13813/windows-10-microsoft-surface-hub-keyboard-shortcuts) - **Quick Actions** > **Ease of Access** from the status bar > ![Image showing Quick Action center on Surface Hub](images/sh-quick-action.png) diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 4e42bd0dad..dc313f8f5d 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -75,10 +75,16 @@ From here on, you'll need to finish the account creation process using PowerShel In order to run cmdlets used by these PowerShell scripts, the following must be installed for the admin PowerShell console: -- [Microsoft Online Services Sign-In Assistant for IT Professionals BETA](https://go.microsoft.com/fwlink/?LinkId=718149) +- [Microsoft Online Services Sign-In Assistant for IT Professionals RTW](https://www.microsoft.com/en-us/download/details.aspx?id=41950) - [Windows Azure Active Directory Module for Windows PowerShell](https://www.microsoft.com/web/handlers/webpi.ashx/getinstaller/WindowsAzurePowershellGet.3f.3f.3fnew.appids) - [Skype for Business Online, Windows PowerShell Module](https://www.microsoft.com/download/details.aspx?id=39366) +Install the following module in Powershell +``` syntax + install-module AzureAD + Install-module MsOnline +``` + ### Connecting to online services 1. Run Windows PowerShell as Administrator. @@ -200,8 +206,7 @@ In order to enable Skype for Business, your environment will need to meet the fo 2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell - Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool - "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress + Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: @@ -356,18 +361,22 @@ In order to enable Skype for Business, your environment will need to meet the fo Import-PSSession $cssess -AllowClobber ``` -2. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: +2. Retrieve your Surface Hub account Registrar Pool + +If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + + ```PowerShell + Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* + ``` + +3. To enable your Surface Hub account for Skype for Business Server, run this cmdlet: ```PowerShell Enable-CsMeetingRoom -Identity $strEmail -RegistrarPool "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress ``` - If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: - - ```PowerShell - Get-CsOnlineUser -Identity ‘alice@contoso.microsoft.com’| fl *registrarpool* - ``` + diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index dc151c3165..47f420a4d0 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 2574c2cbf6..6fcee63f5d 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -396,7 +396,7 @@ Once the device has been domain joined, you must specify a security group from t The following input is required: - **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device. -- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object. +- **User name:** The user name of an account that has sufficient permission to join the specified domain. - **Password:** The password for the account. After the credentials are verified, you will be asked to type a security group name. This input is required. diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 8ff6d0d31f..f91b3e81bf 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -54,6 +54,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof ## Additional resources - [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history) +- [Surface Hub help](https://support.microsoft.com/hub/4343507/surface-hub-help) - [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/) - [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ) - [Microsoft Surface on Twitter](https://twitter.com/surface) diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index ffa77e640e..847625be1f 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 10/20/2017 +ms.date: 10/23/2018 ms.localizationpriority: medium --- @@ -19,7 +19,9 @@ You can install additional apps on your Surface Hub to fit your team or organiza A few things to know about apps on Surface Hub: - Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub). - Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631) or Windows Team device family. -- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. +- Surface Hub only supports [offline-licensed apps](https://docs.microsoft.com/microsoft-store/distribute-offline-apps) from Microsoft Store for Business. +- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode. +- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps. @@ -27,7 +29,7 @@ A few things to know about apps on Surface Hub: While you're developing your own app, there are a few options for testing apps on Surface Hub. ### Developer Mode -By default, Surface Hub only runs UWP apps that have been published to and signed by the Microsoft Store. Apps submitted to the Microsoft Store go through security and compliance tests as part of the [app certification process](https://msdn.microsoft.com/en-us/windows/uwp/publish/the-app-certification-process), so this helps safeguard your Surface Hub against malicious apps. +By default, Surface Hub only runs UWP apps that have been published to and signed by the Microsoft Store. Apps submitted to the Microsoft Store go through security and compliance tests as part of the [app certification process](https://msdn.microsoft.com/windows/uwp/publish/the-app-certification-process), so this helps safeguard your Surface Hub against malicious apps. By enabling developer mode, you can also install developer-signed UWP apps. @@ -144,8 +146,8 @@ To deploy apps to a large number of Surface Hubs in your organization, use a sup 8. On the **Import Information** page, review the information that was imported, and then click **Next**. If necessary, you can click **Previous** to go back and correct any errors. 9. On the **General Information** page, complete additional details about the app. Some of this information might already be populated if it was automatically obtained from the app package. 10. Click **Next**, review the application information on the Summary page, and then complete the Create Application Wizard. -11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application). -12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications). +11. Create a deployment type for the application. For more information, see [Create deployment types for the application](https://docs.microsoft.com/sccm/apps/deploy-use/create-applications#create-deployment-types-for-the-application). +12. Deploy the application to your Surface Hubs. For more information, see [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). 13. As needed, update the app by downloading a new package from the Store for Business, and publishing an application revision in Configuration Manager. For more information, see [Update and retire applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt595704.aspx). > [!NOTE] diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index d0e895cd1a..0771aab258 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -148,9 +148,9 @@ The following tables include info on Windows 10 settings that have been validate | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | | --- | --- | --- |---- | --- | --- | -| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes.
See [Configure Intune certificate profiles](https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune-certificate-profiles). | Yes.
See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles). | Yes | +| Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes.
See [Configure Intune certificate profiles](https://docs.microsoft.com/intune/deploy-use/configure-intune-certificate-profiles). | Yes.
See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/create-certificate-profiles). | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. @@ -160,7 +160,7 @@ The following tables include info on Windows 10 settings that have been validate | --- | --- | --- |---- | --- | --- | | Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes | +| Collect security auditing logs | Use to remotely collect security auditing logs from Surface Hub. | SecurityAuditing node in [Reporting CSP](https://msdn.microsoft.com/library/windows/hardware/mt608321.aspx) | No | No | Yes |--> \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Set network quality of service (QoS) policy diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 6dcce110f5..625ba99f34 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -39,7 +39,7 @@ You can also configure Surface Hub to receive updates from both Windows Update f Surface Hub uses the Windows 10 servicing model, referred to as [Windows as a Service (WaaS)](https://docs.microsoft.com/windows/deployment/update/waas-overview). Traditionally, new features were added only in new versions of Windows that were released every few years. Each new version required lengthy and expensive processes to deploy in an organization. As a result, end users and organizations don't frequently enjoy the benefits of new innovation. The goal of Windows as a Service is to continually provide new capabilities while maintaining a high level of quality. Microsoft publishes two types of Surface Hub releases broadly on an ongoing basis: -- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two tnew feature updates per year. +- **Feature updates** - Updates that install the latest new features, experiences, and capabilities. Microsoft expects to publish two new feature updates per year. - **Quality updates** - Updates that focus on the installation of security fixes, drivers, and other servicing updates. Microsoft expects to publish one cumulative quality update per month. In order to improve release quality and simplify deployments, all new releases that Microsoft publishes for Windows 10, including Surface Hub, will be cumulative. This means new feature updates and quality updates will contain the payloads of all previous releases (in an optimized form to reduce storage and networking requirements), and installing the release on a device will bring it completely up to date. Also, unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 quality update. For example, if a quality update contains fixes for three security vulnerabilities and one reliability issue, deploying the update will result in the installation of all four fixes. diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index ac60abe27d..a210f9834d 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -85,7 +85,7 @@ This table describes the sample queries in the Surface Hub solution: | Alert type | Impact | Recommended remediation | Details | | ---------- | ------ | ----------------------- | ------- | -| Software | Error | **Reboot the device**.
Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/en-us/library/windows/hardware/mt720802(v=vs.85).aspx).
Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions:
- A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive.
- The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the diagnostic data reporting system. | +| Software | Error | **Reboot the device**.
Reboot manually, or using the [Reboot configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt720802(v=vs.85).aspx).
Suggest doing this between meetings to minimize impact to your people in your organization. | Trigger conditions:
- A critical process in the Surface Hub operating system, such as the shell, projection, or Skype, crashes or becomes non-responsive.
- The device hasn't reported a heartbeat in the past 24 hours. This may be due to network connectivity issue or network-related hardware failure, or an error with the diagnostic data reporting system. | | Software | Error | **Check your Exchange service**.
Verify:
- The service is available.
- The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.| Triggers when there's an error syncing the device calendar with Exchange. | | Software | Error | **Check your Skype for Business service**.
Verify:
- The service is available.
- The device account password is up to date – see [Password management](password-management-for-surface-hub-device-accounts.md) for details.
- The domain name for Skype for Business is properly configured - see [Configure a domain name](use-fully-qualified-domain-name-surface-hub.md). | Triggers when Skype fails to sign in. | | Software | Error | **Reset the device**.
This takes some time, so you should take the device offline.
For more information, see [Device reset](device-reset-surface-hub.md).| Triggers when there is an error cleaning up user and app data at the end of a session. When this operation repeatedly fails, the device is locked to protect user data. You must reset the device to continue. | @@ -95,7 +95,7 @@ This table describes the sample queries in the Surface Hub solution: **To set up an alert** 1. From the Surface Hub solution, select one of the sample queries. 2. Modify the query as desired. See Log Analytics search reference to learn more. -3. Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/en-us/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert. +3. Click **Alert** at the top of the page to open the **Add Alert Rule** screen. See [Alerts in Log Analytics](https://azure.microsoft.com/documentation/articles/log-analytics-alerts/) for details on the options to configure the alert. 4. Click **Save** to complete the alert rule. It will start running immediately. ## Enroll your Surface Hub diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index c62abeb7fa..46877db4de 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -99,7 +99,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 8. OPTIONAL: You can also allow your Surface Hub to make and receive public switched telephone network (PSTN) phone calls by enabling Enterprise Voice for your account. Enterprise Voice isn't a requirement for Surface Hub, but if you want PSTN dialing functionality for the Surface Hub client, here's how to enable it: ```PowerShell - Set-CsMeetingRoom -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI “tel:+14255550555;ext=50555" -EnterpriseVoiceEnabled $true + Set-CsMeetingRoom -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI "tel:+14255550555;ext=50555" -EnterpriseVoiceEnabled $true ``` Again, you need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same. diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index babce30d59..cae7e9639e 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -80,7 +80,7 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o 6. You now need to change the room mailbox to a linked mailbox: ```PowerShell - $cred=Get-Credential AuthForest\LinkedRoomTest1 + $cred=Get-Credential AuthForest\ADAdmin Set-mailbox -Alias LinkedRoomTest1 -LinkedMasterAccount AuthForest\LinkedRoomTest1 -LinkedDomainController AuthForest-4939.AuthForest.extest.contoso.com -Name LinkedRoomTest1 -LinkedCredential $cred -Identity LinkedRoomTest1 ``` diff --git a/devices/surface-hub/skype-hybrid-voice.md b/devices/surface-hub/skype-hybrid-voice.md index 4b3c12deab..5537a823c7 100644 --- a/devices/surface-hub/skype-hybrid-voice.md +++ b/devices/surface-hub/skype-hybrid-voice.md @@ -65,7 +65,7 @@ If you deployed Skype for Business Cloud PBX with one of the hybrid voice option If you haven’t created a compatible policy yet, use the following cmdlet (this one creates a policy called "Surface Hubs"). After it’s created, you can apply the same policy to other device accounts. ``` - $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false + $easPolicy = New-MobileDeviceMailboxPolicy -Name "SurfaceHubs" -PasswordEnabled $false ``` After you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. Run the following cmdlets to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox (you may need to re-enable the account and set the password again). diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md index d5f9dc8d57..a068fe1fab 100644 --- a/devices/surface-hub/surface-hub-authenticator-app.md +++ b/devices/surface-hub/surface-hub-authenticator-app.md @@ -23,7 +23,7 @@ To let people in your organization sign in to Surface Hub with their phones and - Make sure you have at minimum an Office 365 E3 subscription. -- [Configure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings). Make sure **Notification through mobile app** is selected. +- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-mfasettings). Make sure **Notification through mobile app** is selected. ![multi-factor authentication options](images/mfa-options.png) diff --git a/devices/surface-hub/surface-hub-start-menu.md b/devices/surface-hub/surface-hub-start-menu.md index 5e6469aab1..dbd5b02e92 100644 --- a/devices/surface-hub/surface-hub-start-menu.md +++ b/devices/surface-hub/surface-hub-start-menu.md @@ -29,7 +29,7 @@ The customized Start menu is defined in a Start layout XML file. You have two op >[!TIP] >To add a tile with a web link to your desktop start menu, go to the link in Microsoft Edge, select `...` in the top right corner, and select **Pin this page to Start**. See [a Start layout that includes a Microsoft Edge link](#edge) for an example of how links will appear in the XML. -To edit the default XML or the exported layout, familiarize yourself with the [Start layout XML](https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop). There are a few [differences between Start layout on a deskop and a Surface Hub.](#differences) +To edit the default XML or the exported layout, familiarize yourself with the [Start layout XML](https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop). There are a few [differences between Start layout on a deskop and a Surface Hub.](#differences) When you have your Start menu defined in a Start layout XML, [create an MDM policy to apply the layout.](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management#a-href-idbkmk-domaingpodeploymentacreate-a-policy-for-your-customized-start-layout) @@ -38,7 +38,7 @@ When you have your Start menu defined in a Start layout XML, [create an MDM poli There are a few key differences between Start menu customization for Surface Hub and a Windows 10 desktop: -- You cannot use **DesktopApplicationTile** (https://docs.microsoft.com/en-us/windows/configuration/start-layout-xml-desktop#startdesktopapplicationtile) in your Start layout XML because Windows desktop applications (Win32) are not supported on Surface Hub. +- You cannot use **DesktopApplicationTile** (https://docs.microsoft.com/windows/configuration/start-layout-xml-desktop#startdesktopapplicationtile) in your Start layout XML because Windows desktop applications (Win32) are not supported on Surface Hub. - You cannot use the Start layout XML to configure the taskbar or the Welcome screen for Surface Hub. - Surface Hub supports a maximum of 6 columns (6 1x1 tiles), however, you **must** define `GroupCellWidth=8` even though Surface Hub will only display tiles in columns 0-5, not columns 6 and 7. - Surface Hub supports a maximum 6 rows (6 1x1 tiles) @@ -145,7 +145,7 @@ This example shows a link to a website and a link to a .pdf file. TileID="2678823080" DisplayName="Bing" Arguments="https://www.bing.com/" - Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" + Square150x150LogoUri="ms-appx:///" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="false" @@ -164,7 +164,10 @@ This example shows a link to a website and a link to a .pdf file. TileID="6153963000" DisplayName="cstrtqbiology.pdf" Arguments="-contentTile -formatVersion 0x00000003 -pinnedTimeLow 0x45b7376e -pinnedTimeHigh 0x01d2356c -securityFlags 0x00000000 -tileType 0x00000000 -url 0x0000003a https://www.ada.gov/regs2010/2010ADAStandards/Guidance_2010ADAStandards.pdf" - Square150x150LogoUri="ms-appdata:///local/PinnedTiles/2678823080/lowres.png" Wide310x150LogoUri="ms-appx:///" ShowNameOnSquare150x150Logo="true" ShowNameOnWide310x150Logo="true" + Square150x150LogoUri="ms-appx:///" + Wide310x150LogoUri="ms-appx:///" + ShowNameOnSquare150x150Logo="true" + ShowNameOnWide310x150Logo="true" BackgroundColor="#ff4e4248" Size="4x2" Row="4" @@ -177,6 +180,11 @@ This example shows a link to a website and a link to a .pdf file. ``` +>[!NOTE] +>Microsoft Edge tile logos won't appear on secondary tiles because they aren't stored in Surface Hub. +> +>The default value for `ForegroundText` is light; you don't need to include `ForegroundText` in your XML unless you're changing the value to dark. + ## More information - [Blog post: Changing Surface Hub’s Start Menu](https://blogs.technet.microsoft.com/y0av/2018/02/13/47/) diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md index 1473174177..985b44c3cd 100644 --- a/devices/surface-hub/surfacehub-whats-new-1703.md +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -34,7 +34,7 @@ Settings have been added to mobile device management (MDM) and configuration ser - Properties/DoNotShowMyMeetingsAndFiles - System/AllowStorageCard -Plus settings based on the new [NetworkQoSPolicy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) and [NetworkProxy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/networkproxy-csp). +Plus settings based on the new [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) and [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp).
## Provisioning wizard diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 6bb7a33e57..3f99c917af 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -10,10 +10,10 @@ ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) #### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) #### [Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +### [Battery Limit setting](battery-limit.md) ## [Surface firmware and driver updates](update.md) ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) -### [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) ### [Surface Dock Updater](surface-dock-updater.md) ### [Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) ## [Considerations for Surface and System Center Configuration Manager](considerations-for-surface-and-system-center-configuration-manager.md) @@ -25,6 +25,9 @@ ### [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) ### [Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) ### [Use System Center Configuration Manager to manage devices with SEMM](use-system-center-configuration-manager-to-manage-devices-with-semm.md) +## [Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) +### [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +### [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## [Surface Data Eraser](microsoft-surface-data-eraser.md) ## [Top support solutions for Surface devices](support-solutions-surface.md) ## [Change history for Surface documentation](change-history-for-surface.md) diff --git a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md index edc8b8e993..d9d67fc9ab 100644 --- a/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md +++ b/devices/surface/advanced-uefi-security-features-for-surface-pro-3.md @@ -24,7 +24,7 @@ To address more granular control over the security of Surface devices, the v3.11 ## Manually install the UEFI update -Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows](https://support.microsoft.com/en-us/kb/306525). +Before you can configure the advanced security features of your Surface device, you must first install the v3.11.760.0 UEFI update. This update is installed automatically if you receive your updates from Windows Update. For more information about how to configure Windows to update automatically by using Windows Update, see [How to configure and use Automatic Updates in Windows](https://support.microsoft.com/kb/306525). To update the UEFI on Surface Pro 3, you can download and install the Surface UEFI updates as part of the Surface Pro 3 Firmware and Driver Pack. These firmware and driver packs are available from the [Surface Pro 3 page](https://www.microsoft.com/download/details.aspx?id=38826) on the Microsoft Download Center. You can find out more about the firmware and driver packs at [Download the latest firmware and drivers for Surface devices](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). The firmware and driver packs are available as both self-contained Windows Installer (.msi) and archive (.zip) formats. You can find out more about these two formats and how you can use them to update your drivers at [Manage Surface driver and firmware updates](https://technet.microsoft.com/itpro/surface/manage-surface-pro-3-firmware-updates). diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md new file mode 100644 index 0000000000..1e86776942 --- /dev/null +++ b/devices/surface/battery-limit.md @@ -0,0 +1,84 @@ +--- +title: Battery Limit setting (Surface) +description: Battery Limit is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: surface, devices +ms.sitesec: library +author: brecords +ms.date: 10/02/2018 +ms.author: jdecker +ms.topic: article +--- + +# Battery Limit settings + +Battery Limit option is a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. This setting is recommended in cases in which the device is continuously connected to power, for example when devices are integrated into kiosk solutions. + +## Battery Limit information + +Setting the device on Battery Limit changes the protocol for charging the device battery. When Battery Limit is enabled, the battery charge will be limited to 50% of its maximum capacity. The charge level reported in Windows will reflect this limit. Therefore, it will show that the battery is charged up to 50% and will not charge beyond this limit. If you enable Battery Limit while the device is above 50% charge, the Battery icon will show that the device is plugged in but discharging until the device reaches 50% of its maximum charge capacity. + +Adding the Battery Limit option to Surface UEFI will require a [Surface UEFI firmware update](update.md), which will be made available through Windows Update or via the MSI driver and firmware packages on the Microsoft Download Center. Check [Enable "Battery Limit" for Surface devices that have to be plugged in for extended periods of time](https://support.microsoft.com/help/4464941) for the specific Surface UEFI version required for each device and supported devices. Currently, Battery Limit is only supported on Surface Pro 4 and Surface Pro 3. However, the setting will be available in the future on other Surface device models. + +## Enabling Battery Limit in Surface UEFI (Surface Pro 4 and later) + +The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Advanced Options**, toggle **Enable Battery Limit Mode** to **On**. + +![Screenshot of Advanced options](images/enable-bl.png) + +## Enabling Battery Limit in Surface UEFI (Surface Pro 3) + +The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**. + +![Screenshot of Advanced options](images/enable-bl-sp3.png) + +![Screenshot of Advanced options](images/enable-bl-sp3-2.png) + +## Enabling Battery Limit using Surface Enterprise Management Mode (SEMM) or Surface Pro 3 firmware PowerShell scripts + +The Surface UEFI battery limit is also available for configuration via the following methods: + +- Surface Pro 4 and later + - [Microsoft Surface UEFI Configurator](https://docs.microsoft.com/surface/surface-enterprise-management-mode) + - Surface UEFI Manager Powershell scripts (SEMM_Powershell.zip) in the [Surface Tools for IT downloads](https://www.microsoft.com/download/details.aspx?id=46703) +- Surface Pro 3 + - [SP3_Firmware_Powershell_Scripts.zip](https://www.microsoft.com/download/details.aspx?id=46703) + +### Using Microsoft Surface UEFI Configurator + +To configure Battery Limit mode, set the **Kiosk Overrides** setting on the **Advanced Settings** configuration page in SEMM (Surface Pro 4 and later). + +![Screenshot of advanced settings](images/semm-bl.png) + +### Using Surface UEFI Manager PowerShell scripts + +The battery limit feature is controlled via the following setting: + +`407 = Battery Profile` + +**Description**: Active management scheme for battery usage pattern + +**Default**: `0` + +Set this to `1` to enable Battery Limit. + +### Using Surface Pro 3 firmware tools + +The battery limit feature is controlled via the following setting: + +**Name**: BatteryLimitEnable + +**Description**: BatteryLimit + +**Current Value**: `0` + +**Default Value**: `0` + +**Proposed Value**: `0` + +Set this to `1` to enable Battery Limit. + +>[!NOTE] +>To configure this setting, you must use [SP3_Firmware_Powershell_Scripts.zip](https://www.microsoft.com/download/details.aspx?id=46703). + diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 7b010ca138..5c34d22900 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -7,13 +7,29 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 05/15/2018 +ms.date: 11/15/2018 --- # Change history for Surface documentation This topic lists new and updated topics in the Surface documentation library. +## November 2018 + +New or changed topic | Description +--- | --- +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface Pro 6 | +[Surface Diagnostic Toolkit for Business](surface-diagnostic-toolkit-business.md) | New +[Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) | New +[Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) | New + +## October 2018 + +New or changed topic | Description +--- | --- +[Battery Limit setting](battery-limit.md) | New +|[Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) | Added Surface GO | + ## May 2018 |New or changed topic | Description | diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index a023fdb141..52a92a6ef7 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -9,7 +9,7 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 09/13/2018 +ms.date: 11/15/2018 ms.author: jdecker ms.topic: article --- @@ -38,32 +38,50 @@ Recent additions to the downloads for Surface devices provide you with options t >[!NOTE] >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +## Surface Laptop 2 + +Download the following updates for [Surface Laptop 2 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57515). +* SurfaceLaptop2_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 + +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57514). + +* SurfacePro6_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 + +## Surface GO + +Download the following updates for [Surface GO from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). +* SurfaceGO_Win10_17134_1802010_6.msi - Cumulative firmware and driver update package for Windows 10 ## Surface Book 2 - Download the following updates for [Surface Book 2 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56261). * SurfaceBook2_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Laptop - Download the following updates for [Surface Laptop from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55489). * SurfaceLaptop_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro - Download the following updates for [Surface Pro (Model 1796) from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55484). * SurfacePro_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro with LTE Advanced - Download the following updates for [Surface Pro with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=56278). + * SurfacePro_LTE_Win10_xxxxx_xxxxxx.msi – Cumulative firmware and driver update package for Windows 10 +## Surface Pro 6 + +Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514). + +* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi + ## Surface Studio diff --git a/devices/surface/deploy.md b/devices/surface/deploy.md index 00e7dc22e0..69865822f6 100644 --- a/devices/surface/deploy.md +++ b/devices/surface/deploy.md @@ -6,14 +6,14 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: brecords -ms.date: 01/29/2018 +ms.date: 10/02/2018 ms.author: jdecker ms.topic: article --- # Deploy Surface devices -Get deployment guidance for your Surface devices including information about MDT, OOBE customization, Ethernet adaptors, and Surface Deployment Accelerator. +Get deployment guidance for your Surface devices including information about Microsoft Deployment Toolkit (MDT), out-of-box-experience (OOBE) customization, Ethernet adaptors, Surface Deployment Accelerator, and the Battery Limit setting. ## In this section @@ -26,6 +26,7 @@ Get deployment guidance for your Surface devices including information about MDT | [Customize the OOBE for Surface deployments](customize-the-oobe-for-surface-deployments.md)| Walk through the process of customizing the Surface out-of-box experience for end users in your organization.| | [Ethernet adapters and Surface deployment](ethernet-adapters-and-surface-device-deployment.md)| Get guidance and answers to help you perform a network deployment to Surface devices.| | [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md)| See how Microsoft Surface Deployment Accelerator provides a quick and simple deployment mechanism for organizations to reimage Surface devices. | +[Battery Limit setting](battery-limit.md) | Learn how to use Battery Limit, a UEFI setting that changes how the Surface device battery is charged and may prolong its longevity. diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 86d594455f..8477cac86f 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/devices/surface/images/enable-bl-sp3-2.png b/devices/surface/images/enable-bl-sp3-2.png new file mode 100644 index 0000000000..f1940c403f Binary files /dev/null and b/devices/surface/images/enable-bl-sp3-2.png differ diff --git a/devices/surface/images/enable-bl-sp3.png b/devices/surface/images/enable-bl-sp3.png new file mode 100644 index 0000000000..7fa99786f1 Binary files /dev/null and b/devices/surface/images/enable-bl-sp3.png differ diff --git a/devices/surface/images/enable-bl.png b/devices/surface/images/enable-bl.png new file mode 100644 index 0000000000..a99cb994fb Binary files /dev/null and b/devices/surface/images/enable-bl.png differ diff --git a/devices/surface/images/sdt-1.png b/devices/surface/images/sdt-1.png new file mode 100644 index 0000000000..fb10753608 Binary files /dev/null and b/devices/surface/images/sdt-1.png differ diff --git a/devices/surface/images/sdt-2.png b/devices/surface/images/sdt-2.png new file mode 100644 index 0000000000..be951967f0 Binary files /dev/null and b/devices/surface/images/sdt-2.png differ diff --git a/devices/surface/images/sdt-3.png b/devices/surface/images/sdt-3.png new file mode 100644 index 0000000000..0d3077cc1b Binary files /dev/null and b/devices/surface/images/sdt-3.png differ diff --git a/devices/surface/images/sdt-4.png b/devices/surface/images/sdt-4.png new file mode 100644 index 0000000000..babddbb240 Binary files /dev/null and b/devices/surface/images/sdt-4.png differ diff --git a/devices/surface/images/sdt-5.png b/devices/surface/images/sdt-5.png new file mode 100644 index 0000000000..5c5346d93a Binary files /dev/null and b/devices/surface/images/sdt-5.png differ diff --git a/devices/surface/images/sdt-6.png b/devices/surface/images/sdt-6.png new file mode 100644 index 0000000000..acf8e684b3 Binary files /dev/null and b/devices/surface/images/sdt-6.png differ diff --git a/devices/surface/images/sdt-7.png b/devices/surface/images/sdt-7.png new file mode 100644 index 0000000000..5e16961c6b Binary files /dev/null and b/devices/surface/images/sdt-7.png differ diff --git a/devices/surface/images/sdt-desk-1.png b/devices/surface/images/sdt-desk-1.png new file mode 100644 index 0000000000..f1ecc03b30 Binary files /dev/null and b/devices/surface/images/sdt-desk-1.png differ diff --git a/devices/surface/images/sdt-desk-2.png b/devices/surface/images/sdt-desk-2.png new file mode 100644 index 0000000000..3d066cb3e5 Binary files /dev/null and b/devices/surface/images/sdt-desk-2.png differ diff --git a/devices/surface/images/sdt-desk-3.png b/devices/surface/images/sdt-desk-3.png new file mode 100644 index 0000000000..bbd9709300 Binary files /dev/null and b/devices/surface/images/sdt-desk-3.png differ diff --git a/devices/surface/images/sdt-desk-4.png b/devices/surface/images/sdt-desk-4.png new file mode 100644 index 0000000000..f533646605 Binary files /dev/null and b/devices/surface/images/sdt-desk-4.png differ diff --git a/devices/surface/images/sdt-desk-5.png b/devices/surface/images/sdt-desk-5.png new file mode 100644 index 0000000000..664828762e Binary files /dev/null and b/devices/surface/images/sdt-desk-5.png differ diff --git a/devices/surface/images/sdt-desk-6.png b/devices/surface/images/sdt-desk-6.png new file mode 100644 index 0000000000..1b9ce9f7e2 Binary files /dev/null and b/devices/surface/images/sdt-desk-6.png differ diff --git a/devices/surface/images/semm-bl.png b/devices/surface/images/semm-bl.png new file mode 100644 index 0000000000..3f8a375057 Binary files /dev/null and b/devices/surface/images/semm-bl.png differ diff --git a/devices/surface/index.md b/devices/surface/index.md index 477f6aaedf..20d2c00e79 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -18,7 +18,7 @@ ms.date: 10/16/2017 This library provides guidance to help you deploy Windows on Microsoft Surface devices, keep those devices up to date, and easily manage and support Surface devices in your organization. -For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/en-us/windows/surface). +For more information on planning for, deploying, and managing Surface devices in your organization, see the [Surface TechCenter](https://technet.microsoft.com/windows/surface). ## In this section diff --git a/devices/surface/manage-surface-dock-firmware-updates.md b/devices/surface/manage-surface-dock-firmware-updates.md deleted file mode 100644 index 45bf61629f..0000000000 --- a/devices/surface/manage-surface-dock-firmware-updates.md +++ /dev/null @@ -1,124 +0,0 @@ ---- -title: Manage Surface Dock firmware updates (Surface) -description: Read about the different methods you can use to manage the process of Surface Dock firmware updates. -ms.assetid: 86DFC0C0-C842-4CD1-A2D7-4425471FFE3F -ms.localizationpriority: medium -keywords: firmware, update, install, drivers -ms.prod: w10 -ms.mktglfcycl: manage -ms.pagetype: surface, devices -ms.sitesec: library -author: jobotto -ms.author: jdecker -ms.topic: article -ms.date: 07/27/2017 ---- - -# Manage Surface Dock firmware updates - - -Read about the different methods you can use to manage the process of Surface Dock firmware updates. - -The Surface Dock provides external connectivity to Surface devices through a single cable connection that includes Power, Ethernet, Audio, USB 3.0, and DisplayPort. The numerous connections provided by the Surface Dock are enabled by a smart chipset within the Surface Dock device. Like a Surface device’s chipset, the chipset that is built into the Surface Dock is controlled by firmware. For more information about the Surface Dock, see the [Surface Dock demonstration](https://technet.microsoft.com/mt697552) video. - -Like the firmware for Surface devices, firmware for Surface Dock is also contained within a downloaded driver that is visible in Device Manager. This driver stages the firmware update files on the Surface device. When a Surface Dock is connected and the driver is loaded, the newer version of the firmware staged by the driver is detected and firmware files are copied to the Surface Dock. The Surface Dock then begins a two-phase process to apply the firmware internally. Each phase requires the Surface Dock to be disconnected from the Surface device before the firmware is applied. The driver copies the firmware into the dock, but only applies it when the user disconnects the Surface device from the Surface Dock. This ensures that there are no disruptions because the firmware is only applied when the user leaves their desk with the device. - - ->[!NOTE] ->You can learn more about the firmware update process for Surface devices and how firmware is updated through driver installation at the following links: ->- [How to manage and update Surface drivers and firmware](https://technet.microsoft.com/mt697551) from Microsoft Mechanics ->- [Windows Update Makes Surface Better](https://go.microsoft.com/fwlink/p/?LinkId=785354) on the Microsoft Devices Blog - - -  - -The Surface Dock firmware update process shown in Figure 1 follows these steps: - -1. Drivers for Surface Dock are installed on Surface devices that are connected, or have been previously connected, to a Surface Dock. - -2. The drivers for Surface Dock are loaded when a Surface Dock is connected to the Surface device. - -3. The firmware version installed in the Surface Dock is compared with the firmware version staged by the Surface Dock driver. - -4. If the firmware version on the Surface Dock is older than the firmware version contained in the Surface Dock driver, the main chipset firmware update files are copied from the driver to the Surface Dock. - -5. When the Surface Dock is disconnected, the Surface Dock installs the firmware update to the main chipset. - -6. When the Surface Dock is connected again, the main chipset firmware is verified against the firmware present in the Surface Dock driver. - -7. If the firmware update for the main chipset is installed successfully, the Surface Dock driver copies the firmware update for the DisplayPort. - -8. When the Surface Dock is disconnected for a second time, the Surface dock installs the firmware update to the DisplayPort chipset. This process takes up to 3 minutes to apply. - -![Surface Dock firmware update process](images/manage-surface-dock-fig1-updateprocess.png "Surface Dock firmware update process") - -*1- Driver installation can be performed by Windows Update, manual installation, or automatically downloaded with Microsoft Surface Dock Updater* - -*2 - The Surface Dock firmware installation process takes approximately 3 minutes* - -Figure 1. The Surface Dock firmware update process - -If the firmware installation process is interrupted (for example, if power is disconnected from the Surface Dock during firmware installation), the Surface Dock will automatically revert to the prior firmware without disruption to the user, and the update process will restart the next time the Surface Dock is disconnected. For most users this update process should be entirely transparent. - -## Methods for updating Surface Dock firmware - - -There are three methods you can use to update the firmware of the Surface Dock: - -- [Automatic installation of drivers with Windows Update](#automatic-installation) - -- [Deployment of drivers downloaded from the Microsoft Download Center](#deployment-dlc) - -- [Manually update with Microsoft Surface Dock Updater](#manual-updater) - -## Automatic installation with Windows Update - - -Windows Update is the method that most users will use. The drivers for the Surface Dock are downloaded automatically from Windows Update and the dock update process is initiated without additional user interaction. The two-phase dock update process described earlier occurs in the background as the user connects and disconnects the Surface Dock during normal use. - ->[!NOTE] ->The driver version that is displayed in Device Manager may be different from the firmware version that the Surface Dock is using. - -  - -## Deployment of drivers downloaded from the Microsoft Download Center - - -This method is used mostly in environments where Surface device drivers and firmware are managed separately from Windows Update. See [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md) for more information about the different methods to manage Surface device driver and firmware updates. Updating the Surface Dock firmware through this method involves downloading and deploying an MSI package to the Surface device that contains the updated Surface Dock drivers and firmware. This is the same method recommended for updating all other Surface drivers and firmware. The two-phase firmware update process occurs in the background each time the Surface Dock is disconnected, just like it does with the Windows Update method. - -For more information about how to deploy MSI packages see [Create and deploy an application with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/get-started/create-and-deploy-an-application). - ->[!NOTE] ->When drivers are installed through Windows Update or the MSI package, registry keys are added that indicate the version of firmware installed on the Surface Dock and contained within the Surface Dock driver. These registry keys can be found in: -> **HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WUDF\\Services\\SurfaceDockFwUpdate\\Parameters** - -Firmware status is displayed for both the main chipset (displayed as **Component10**) and the DisplayPort chipset (displayed as **Component20**). For each chipset there are four keys, where *xx* is **10** or **20** corresponding to each chipset: - -- **Component*xx*CurrentFwVersion** – This key displays the version of firmware that is installed on the currently connected or most recently connected Surface Dock. - -- **Component*xx*OfferFwVersion** – This key displays the version of firmware staged by the Surface Dock driver. - -- **Component*xx*FirmwareUpdateStatus** – This key displays the stage of the Surface Dock firmware update process. - -- **Component*xx*FirmwareUpdateStatusRejectReason** – This key changes as the firmware update is processed. It should result in 0 after the successful installation of Surface Dock firmware. - ->[!NOTE] ->These registry keys are not present unless you have installed updated Surface Dock drivers through Windows Update or MSI deployment. - -  - -## Manually update with Microsoft Surface Dock Updater - - -The manual method using the Microsoft Surface Dock Updater tool to update the Surface Dock is used mostly in environments where IT prepares Surface Docks prior to delivery to the end user, or for troubleshooting of a Surface Dock. Microsoft Surface Dock Updater is a tool that you can run from any Surface device that is compatible with the Surface Dock, and will walk you through the process of performing the Surface Dock firmware update in the least possible amount of time. You can also use this tool to verify the firmware status of a connected Surface Dock. - -For more information about how to use the Microsoft Surface Dock Updater tool, please see [Microsoft Surface Dock Updater](surface-dock-updater.md). You can download the Microsoft Surface Dock Updater tool from the [Surface Tools for IT page](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. - -  - -  - - - - - diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 9b9736af68..5a35a44360 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -26,6 +26,9 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +* Surface Pro 6 +* Surface Laptop 2 +* Surface Go * Surface Book 2 * Surface Pro with LTE Advanced (Model 1807) * Surface Pro (Model 1796) @@ -60,7 +63,7 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include: To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft Surface Data Eraser setup tool from the Microsoft Download Center using the link provided at the beginning of this article. You do not need a Surface device to *create* the USB stick. After you have downloaded the installation file to your computer, follow these steps to install the Microsoft Surface Data Eraser creation tool: -1. Run the DataEraserSetup.msi installation file that you downloaded from the Microsoft Download Center. +1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703). 2. Select the check box to accept the terms of the license agreement, and then click **Install**. @@ -147,10 +150,40 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### Version 3.2.78.0 +*Release Date: 4 Dec 2018* + +This version of Surface Data Eraser: + +- Includes bug fixes + + +### Version 3.2.75.0 +*Release Date: 12 November 2018* + +This version of Surface Data Eraser: + +- Adds support to Surface Studio 2 +- Fixes issues with SD card + +### Version 3.2.69.0 +*Release Date: 12 October 2018* + +This version of Surface Data Eraser adds support for the following: + +- Surface Pro 6 +- Surface Laptop 2 + +### Version 3.2.68.0 +This version of Microsoft Surface Data Eraser adds support for the following: + +- Surface Go + + ### Version 3.2.58.0 This version of Microsoft Surface Data Eraser adds support for the following: -- • Additional storage devices (drives) for Surface Pro and Surface Laptop devices +- Additional storage devices (drives) for Surface Pro and Surface Laptop devices ### Version 3.2.46.0 @@ -168,7 +201,7 @@ This version of Microsoft Surface Data Eraser adds support for the following: - Surface Pro 1TB >[!NOTE] ->Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/en-us/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. +>Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information. ### Version 3.2.36.0 diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index da0e607baf..8dfbc020a2 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -94,6 +94,12 @@ SDA is periodically updated by Microsoft. For instructions on how these features >[!NOTE] >To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share. +### Version 2.8.136.0 +This version of SDA supports deployment of the following: +* Surface Book 2 +* Surface Laptop +* Surface Pro LTE + ### Version 2.0.8.0 This version of SDA supports deployment of the following: * Surface Pro diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index cbc27f2355..e239bcea68 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -126,7 +126,26 @@ The following steps show you how to create a deployment share for Windows 10 th ![The installatin progress window](images/sdasteps-fig5-installwindow.png "The installatin progress window") *Figure 5. The Installation Progress window* +>[!NOTE] +>The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this: + ``` +In the following two PowerShell scripts: +%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 +%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 + +Edit the $BITSTransfer variable in the input parameters to $False as shown below: + +Param( + [Parameter( + Position=0, + Mandatory=$False, + HelpMessage="Download via BITS bool true/false" + )] + [string]$BITSTransfer = $False + ) + ``` + 8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. ### Optional: Create a deployment share without an Internet connection diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md new file mode 100644 index 0000000000..7325a15492 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -0,0 +1,165 @@ +--- +title: Surface Diagnostic Toolkit for Business +description: This topic explains how to use the Surface Diagnostic Toolkit for Business. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Surface Diagnostic Toolkit for Business + +The Microsoft Surface Diagnostic Toolkit for Business (SDT) enables IT administrators to quickly investigate, troubleshoot, and resolve hardware, software, and firmware issues with Surface devices. You can run a range of diagnostic tests and software repairs in addition to obtaining device health insights and guidance for resolving issues. + +Specifically, SDT for Business enables you to: + +- [Customize the package.](#create-custom-sdt) +- [Run the app using commands.](surface-diagnostic-toolkit-command-line.md) +- [Run multiple hardware tests to troubleshoot issues.](surface-diagnostic-toolkit-desktop-mode.md#multiple) +- [Generate logs for analyzing issues.](surface-diagnostic-toolkit-desktop-mode.md#logs) +- [Obtain detailed report comparing device vs optimal configuration.](surface-diagnostic-toolkit-desktop-mode.md#detailed-report) + + +## Primary scenarios and download resources + +To run SDT for Business, download the components listed in the following table. + +>[!NOTE] +>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (msiexec.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md). + +Mode | Primary scenarios | Download | Learn more +--- | --- | --- | --- +Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.
Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:
Microsoft Surface Diagnostic Toolkit for Business Installer
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:
`-DataCollector` collects all log files
`-bpa` runs health diagnostics using Best Practice Analyzer.
`-windowsupdate` checks Windows update for missing firmware or driver updates.

**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app:
Microsoft Surface Diagnostics App Console
[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md) + +## Supported devices + +SDT for Business is supported on Surface 3 and later devices, including: + +- Surface Pro 6 +- Surface Laptop 2 +- Surface Go +- Surface Go with LTE +- Surface Book 2 +- Surface Pro with LTE Advanced (Model 1807) +- Surface Pro (Model 1796) +- Surface Laptop +- Surface Studio +- Surface Studio 2 +- Surface Book +- Surface Pro 4 +- Surface 3 LTE +- Surface 3 +- Surface Pro 3 + +## Installing Surface Diagnostic Toolkit for Business + +To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags: + +- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry. +- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for Business client mode or `1` for Business Administrator mode. The default value is `0`. + +**To install SDT in ADMINMODE:** + +1. Sign in to your Surface device using the Administrator account. +2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop. +3. Open a command prompt and enter: + + ``` + msiexec.exe /i ADMINMODE=1. + ``` + **Example:** + + ``` + C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1 + ``` + +4. The SDT setup wizard appears, as shown in figure 1. Click **Next**. + + >[!NOTE] + >If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer. + + ![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png) + + *Figure 1. Surface Diagnostic Toolkit setup wizard* + +5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package. + +6. Click **Next** and then click **Install**. + +## Locating SDT on your Surface device + +Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`. + +In addition to the .exe file, SDT installs a JSON file and an admin.dll file (modules\admin.dll), as shown in figure 2. + +![list of SDT installed files in File Explorer](images/sdt-2.png) + +*Figure 2. Files installed by SDT* + + +## Preparing the SDT package for distribution + +Creating a custom package allows you to target the tool to specific known issues. + +1. Click **Start > Run**, enter **Surface** and then click **Surface Diagnostic Toolkit for Business**. +2. When the tool opens, click **Create Custom Package**, as shown in figure 3. + + ![Create custom package option](images/sdt-3.png) + + *Figure 3. Create custom package* + +### Language and telemetry page + + +When you start creating the custom package, you’re asked whether you agree to send data to Microsoft to help improve the application. For more information,see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). Sharing is on by default, so uncheck the box if you wish to decline. + +>[!NOTE] +>This setting is limited to only sharing data generated while running packages. + +![Select language and telemetry settings](images/sdt-4.png) + +*Figure 4. Select language and telemetry settings* + +### Windows Update page + +Select the option appropriate for your organization. Most organizations with multiple users will typically select to receive updates via Windows Server Update Services (WSUS), as shown in figure 5. If using local Windows update packages or WSUS, enter the path as appropriate. + +![Select Windows Update option](images/sdt-5.png) + +*Figure 5. Windows Update option* + +### Software repair page + +This allows you to select or remove the option to run software repair updates. + +![Select software repair option](images/sdt-6.png) + +*Figure 6. Software repair option* + +### Collecting logs and saving package page + +You can select to run a wide range of logs across applications, drivers, hardware, and the operating system. Click the appropriate area and select from the menu of available logs. You can then save the package to a software distribution point or equivalent location that users can access. + +![Select log options](images/sdt-7.png) + +*Figure 7. Log option and save package* + +## Next steps + +- [Use Surface Diagnostic Toolkit for Business in desktop mode](surface-diagnostic-toolkit-desktop-mode.md) +- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) + + + + + + + + + + + diff --git a/devices/surface/surface-diagnostic-toolkit-command-line.md b/devices/surface/surface-diagnostic-toolkit-command-line.md new file mode 100644 index 0000000000..8d5cf4009c --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-command-line.md @@ -0,0 +1,148 @@ +--- +title: Run Surface Diagnostic Toolkit for Business using commands +description: How to run Surface Diagnostic Toolkit in a command console +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Run Surface Diagnostic Toolkit for Business using commands + +Running the Surface Diagnostic Toolkit (SDT) at a command prompt requires downloading the STD app console. After it's installed, you can run SDT at a command prompt via the Windows command console (cmd.exe) or using Windows PowerShell, including PowerShell Integrated Scripting Environment (ISE), which provides support for autocompletion of commands, copy/paste, and other features. + +>[!NOTE] +>To run SDT using commands, you must be signed in to the Administrator account or signed in to an account that is a member of the Administrator group on your Surface device. + +## Running SDT app console + +Download and install SDT app console from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703). You can use the Windows command prompt (cmd.exe) or Windows PowerShell to: + +- Collect all log files. +- Run health diagnostics using Best Practice Analyzer. +- Check update for missing firmware or driver updates. + +>[!NOTE] +>In this release, the SDT app console supports single commands only. Running multiple command line options requires running the console exe separately for each command. + +By default, output files are saved in the same location as the console app. Refer to the following table for a complete list of commands. + +Command | Notes +--- | --- +-DataCollector "output file" | Collects system details into a zip file. "output file" is the file path to create system details zip file.

**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -DataCollector SDT_DataCollection.zip` +-bpa "output file" | Checks several settings and health indicators in the device. “output file" is the file path to create the HTML report.

**Example**:
`Microsoft.Surface.Diagnostics.App.Console.exe -bpa BPA.html` +-windowsupdate | Checks Windows Update online servers for missing firmware and/or driver updates.

**Example**:
Microsoft.Surface.Diagnostics.App.Console.exe -windowsupdate +-warranty "output file" | Checks warranty information on the device (valid or invalid). The optional “output file” is the file path to create the xml file.

**Example**:
Microsoft.Surface.Diagnostics.App.Console.exe –warranty “warranty.xml” + + +>[!NOTE] +>To run the SDT app console remotely on target devices, you can use a configuration management tool such as System Center Configuration Manager. Alternatively, you can create a .zip file containing the console app and appropriate console commands and deploy per your organization’s software distribution processes. + +## Running Best Practice Analyzer + +You can run BPA tests across key components such as BitLocker, Secure Boot, and Trusted Platform Module (TPM) and then output the results to a shareable file. The tool generates a series of tables with color-coded headings and condition descriptors along with guidance about how to approach resolving the issue. + +- Green indicates the component is running in an optimal condition (optimal). +- Orange indicates the component is not running in an optimal condition (not optimal). +- Red indicates the component is in an abnormal state. + +### Sample BPA results output + + + + + + + +
BitLocker
Description:Checks if BitLocker is enabled on the system drive.
Value:Protection On
Condition:Optimal
Guidance:It is highly recommended to enable BitLocker to protect your data.
+ + + + + + + +
Secure Boot
Description:Checks if Secure Boot is enabled.
Value:True
Condition:Optimal
Guidance:It is highly recommended to enable Secure Boot to protect your PC.
+ + + + + + + +
Trusted Platform Module
Description:Ensures that the TPM is functional.
Value:True
Condition:Optimal
Guidance:Without a functional TPM, security-based functions such as BitLocker may not work properly.
+ + + + + + + +
Connected Standby
Description:Checks if Connected Standby is enabled.
Value:True
Condition:Optimal
Guidance:Connected Standby allows a Surface device to receive updates and notifications while not being used. For best experience, Connected Standby should be enabled.
+ + + + + + + +
Bluetooth
Description:Checks if Bluetooth is enabled.
Value:Enabled
Condition:Optimal
Guidance:
+ + + + + + + +
Debug Mode
Description:Checks if the operating system is in Debug mode.
Value:Normal
Condition:Optimal
Guidance:The debug boot option enables or disables kernel debugging of the Windows operating system. Enabling this option can cause system instability and can prevent DRM (digital rights managemend) protected media from playing.
+ + + + + + + +
Test Signing
Description:Checks if Test Signing is enabled.
Value:Normal
Condition:Optimal
Guidance:Test Signing is a Windows startup setting that should only be used to test pre-release drivers.
+ + + + + + + +
Active Power Plan
Description:Checks that the correct power plan is active.
Value:Balanced
Condition:Optimal
Guidance:It is highly recommended to use the "Balanced" power plan to maximize productivity and battery life.
+ + + + + + + +
Windows Update
Description:Checks if the device is up to date with Windows updates.
Value:Microsoft Silverlight (KB4023307), Definition Update for Windows Defender Antivirus - KB2267602 (Definition 1.279.1433.0)
Condition:Not Optimal
Guidance:Updating to the latest windows makes sure you are on the latest firmware and drivers. It is recommended to always keep your device up to date
+ + + + + + + +
Free Hard Drive Space
Description:Checks for low free hard drive space.
Value:66%
Condition:Optimal
Guidance:For best performance, your hard drive should have at least 10% of its capacity as free space.
+ + + + + + + +
Non-Functioning Devices
Description:List of non-functioning devices in Device Manager.
Value:
Condition:Optimal
Guidance:Non-functioning devices in Device Manager may cause unpredictable problems with Surface devices such as, but not limited to, no power savings for the respective hardware component.
+ + + + + + + +
External Monitor
Description:Checks for an external monitor that may have compatibility issues.
Value:
Condition:Optimal
Guidance:Check with the original equipment manufacturer for compatibility with your Surface device.
diff --git a/devices/surface/surface-diagnostic-toolkit-desktop-mode.md b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md new file mode 100644 index 0000000000..ee76845656 --- /dev/null +++ b/devices/surface/surface-diagnostic-toolkit-desktop-mode.md @@ -0,0 +1,99 @@ +--- +title: Use Surface Diagnostic Toolkit for Business in desktop mode +description: How to use SDT to help users in your organization run the tool to identify and diagnose issues with the Surface device. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: jdeckerms +ms.author: jdecker +ms.topic: article +ms.date: 11/15/2018 +--- + +# Use Surface Diagnostic Toolkit for Business in desktop mode + +This topic explains how to use the Surface Diagnostic Toolkit (SDT) to help users in your organization run the tool to identify and diagnose issues with the Surface device. Successfully running SDT can quickly determine if a reported issue is caused by failed hardware or user error. + +1. Direct the user to install [the SDT package](surface-diagnostic-toolkit-business.md#create-custom-sdt) from a software distribution point or network share. After it is installed, you’re ready to guide the user through a series of tests. + +2. Begin at the home page, which allows users to enter a description of the issue, and click **Continue**, as shown in figure 1. + + ![Start SDT in desktop mode](images/sdt-desk-1.png) + + *Figure 1. SDT in desktop mode* + +3. When SDT indicates the device has the latest updates, click **Continue** to advance to the catalog of available tests, as shown in figure 2. + + ![Select from SDT options](images/sdt-desk-2.png) + + *Figure 2. Select from SDT options* + +4. You can choose to run all the diagnostic tests. Or, if you already suspect a particular issue such as a faulty display or a power supply problem, click **Select** to choose from the available tests and click **Run Selected**, as shown in figure 3. See the following table for details of each test. + + ![Select hardware tests](images/sdt-desk-3.png) + + *Figure 3. Select hardware tests* + + Hardware test | Description + --- | --- + Power Supply and Battery | Checks Power supply is functioning optimally + Display and Sound | Checks brightness, stuck or dead pixels, speaker and microphone functioning + Ports and Accessories | Checks accessories, screen attach and USB functioning + Connectivity | Checks Bluetooth, wireless and LTE connectivity + Security | Checks security related issues + Touch | Checks touch related issues + Keyboard and touch | Checks integrated keyboard connection and type cover + Sensors | Checks functioning of different sensors in the device + Hardware | Checks issues with different hardware components such as graphics card and camera + + + + + + +## Running multiple hardware tests to troubleshoot issues + +SDT is designed as an interactive tool that runs a series of tests. For each test, SDT provides instructions summarizing the nature of the test and what users should expect or look for in order for the test to be successful. For example, to diagnose if the display brightness is working properly, SDT starts at zero and increases the brightness to 100 percent, asking users to confirm – by answering **Yes** or **No** -- that brightness is functioning as expected, as shown in figure 4. + +For each test, if functionality does not work as expected and the user clicks **No**, SDT generates a report of the possible causes and ways to troubleshoot it. + +![Running hardware diagnostics](images/sdt-desk-4.png) + +*Figure 4. Running hardware diagnostics* + +1. If the brightness successfully adjusts from 0-100 percent as expected, direct the user to click **Yes** and then click **Continue**. +2. If the brightness fails to adjust from 0-100 percent as expected, direct the user to click **No** and then click **Continue**. +3. Guide users through remaining tests as appropriate. When finished, SDT automatically provides a high-level summary of the report, including the possible causes of any hardware issues along with guidance for resolution. + + +### Repairing applications + +SDT enables you to diagnose and repair applications that may be causing issues, as shown in figure 5. + +![Running repairs](images/sdt-desk-5.png) + +*Figure 5. Running repairs* + + + + + +### Generating logs for analyzing issues + +SDT provides extensive log-enabled diagnosis support across applications, drivers, hardware, and operating system issues, as shown in figure 6. + +![Generating logs](images/sdt-desk-6.png) + +*Figure 6. Generating logs* + + + + +### Generating detailed report comparing device vs. optimal configuration + +Based on the logs, SDT generates a report for software- and firmware-based issues that you can save to a preferred location. + +## Related topics + +- [Run Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) + diff --git a/devices/surface/surface-dock-updater.md b/devices/surface/surface-dock-updater.md index 445be071c9..9c644b79eb 100644 --- a/devices/surface/surface-dock-updater.md +++ b/devices/surface/surface-dock-updater.md @@ -112,11 +112,20 @@ Microsoft Surface Dock Updater logs its progress into the Event Log, as shown in ## Changes and updates -Microsoft periodically updates Surface Dock Updater. To learn more about the application of firmware by Surface Dock Updater, see [Manage Surface Dock firmware updates](https://technet.microsoft.com/en-us/itpro/surface/manage-surface-dock-firmware-updates). +Microsoft periodically updates Surface Dock Updater. >[!Note] >Each update to Surface Dock firmware is included in a new version of Surface Dock Updater. To update a Surface Dock to the latest firmware, you must use the latest version of Surface Dock Updater. +### Version 2.23.139.0 +*Release Date: 10 October 2018* + +This version of Surface Dock Updater adds support for the following: + +- Add support for Surface Pro 6 +- Add support for Surface Laptop 2 + + ### Version 2.22.139.0 *Release Date: 26 July 2018* @@ -182,7 +191,7 @@ This version of Surface Dock Updater adds support for the following: * Update for Surface Dock DisplayPort firmware -## Related topics + -[Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md) + diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 42df3fd641..fee03a26b2 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -21,7 +21,7 @@ Microsoft Surface Enterprise Management Mode (SEMM) is a feature of Surface devi When Surface devices are configured by SEMM and secured with the SEMM certificate, they are considered *enrolled* in SEMM. When the SEMM certificate is removed and control of UEFI settings is returned to the user of the device, the Surface device is considered *unenrolled* in SEMM. -There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/en-us/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm). +There are two administrative options you can use to manage SEMM and enrolled Surface devices – a standalone tool or integration with System Center Configuration Manager. The SEMM standalone tool, called the Microsoft Surface UEFI Configurator, is described in this article. For more information about how to manage SEMM with System Center Configuration Manager, see [Use System Center Configuration Manager to manage devices with SEMM](https://technet.microsoft.com/itpro/surface/use-system-center-configuration-manager-to-manage-devices-with-semm). ## Microsoft Surface UEFI Configurator @@ -118,7 +118,7 @@ These characters are the last two characters of the certificate thumbprint and s To enroll a Surface device in SEMM or to apply the UEFI configuration from a configuration package, all you need to do is run the .msi file on the intended Surface device. You can use application deployment or operating system deployment technologies such as [System Center Configuration Manager](https://technet.microsoft.com/library/mt346023) or the [Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741). When you enroll a device in SEMM you must be present to confirm the enrollment on the device. User interaction is not required when you apply a configuration to devices that are already enrolled in SEMM. -For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/en-us/itpro/surface/enroll-and-configure-surface-devices-with-semm). +For a step-by-step walkthrough of how to enroll a Surface device in SEMM or apply a Surface UEFI configuration with SEMM, see [Enroll and configure Surface devices with SEMM](https://technet.microsoft.com/itpro/surface/enroll-and-configure-surface-devices-with-semm). ### Reset package @@ -137,7 +137,7 @@ When you use the process on the **Enterprise Management** page to reset SEMM on >[!NOTE] >A Reset Request expires two hours after it is created. -For a step-by-step walkthrough of how to unenroll Surface devices from SEMM, see [Unenroll Surface devices from SEMM](https://technet.microsoft.com/en-us/itpro/surface/unenroll-surface-devices-from-semm). +For a step-by-step walkthrough of how to unenroll Surface devices from SEMM, see [Unenroll Surface devices from SEMM](https://technet.microsoft.com/itpro/surface/unenroll-surface-devices-from-semm). ## Surface Enterprise Management Mode certificate requirements @@ -189,8 +189,30 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must >[!NOTE] >For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick. +## Version History + +### Version 2.26.136.0 +* Add support to Surface Studio 2 + +### Version 2.21.136.0 +* Add support to Surface Pro 6 +* Add support to Surface Laptop 2 + +### Version 2.14.136.0 +* Add support to Surface Go + +### Version 2.9.136.0 +* Add support to Surface Book 2 +* Add support to Surface Pro LTE +* Accessibility improvements + +### Version 1.0.74.0 +* Add support to Surface Laptop +* Add support to Surface Pro +* Bug fixes and general improvement + ## Related topics [Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md) -[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) \ No newline at end of file +[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md) diff --git a/devices/surface/update.md b/devices/surface/update.md index 29e0b9517b..df7a6e3c5d 100644 --- a/devices/surface/update.md +++ b/devices/surface/update.md @@ -8,7 +8,7 @@ ms.sitesec: library author: heatherpoulsen ms.author: jdecker ms.topic: article -ms.date: 12/01/2016 +ms.date: 11/13/2018 --- # Surface firmware and driver updates @@ -22,7 +22,6 @@ Find out how to download and manage the latest firmware and driver updates for y |[Wake On LAN for Surface devices](wake-on-lan-for-surface-devices.md) | See how you can use Wake On LAN to remotely wake up devices to perform management or maintenance tasks, or to enable management solutions automatically. | | [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)| Get a list of the available downloads for Surface devices and links to download the drivers and firmware for your device.| | [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)| Explore the available options to manage firmware and driver updates for Surface devices.| -| [Manage Surface Dock firmware updates](manage-surface-dock-firmware-updates.md)| Read about the different methods you can use to manage the process of Surface Dock firmware updates.| | [Surface Dock Updater](surface-dock-updater.md)| Get a detailed walkthrough of Microsoft Surface Dock Updater.|   diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index 4e13cfd089..996293cae5 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -51,7 +51,7 @@ You will also need to have available the following resources: >[!NOTE] >Installation media for use with MDT must contain a Windows image in Windows Imaging Format (.wim). Installation media produced by the [Get Windows 10](https://www.microsoft.com/en-us/software-download/windows10/) page does not use a .wim file, instead using an Electronic Software Download (.esd) file, which is not compatible with MDT. -* [Surface firmware and drivers](https://technet.microsoft.com/en-us/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10 +* [Surface firmware and drivers](https://technet.microsoft.com/itpro/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices) for Windows 10 * Application installation files for any applications you want to install, such as the Surface app diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 73c49f7dbc..381ba2d8e1 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -50,7 +50,7 @@ Deployment of Microsoft Surface UEFI Manager is a typical application deployment The command to install Microsoft Surface UEFI Manager is: -`msiexec /i “SurfaceUEFIManagerSetup.msi” /q` +`msiexec /i "SurfaceUEFIManagerSetup.msi" /q` The command to uninstall Microsoft Surface UEFI Manager is: @@ -334,11 +334,11 @@ After your scripts are prepared to configure and enable SEMM on the client devic The SEMM Configuration Manager scripts will be added to Configuration Manager as a script application. The command to install SEMM with ConfigureSEMM.ps1 is: -`Powershell.exe -file “.\ConfigureSEMM.ps1”` +`Powershell.exe -file ".\ConfigureSEMM.ps1"` The command to uninstall SEMM with ResetSEMM.ps1 is: -`Powershell.exe -file “.\ResetSEMM.ps1”` +`Powershell.exe -file ".\ResetSEMM.ps1"` To add the SEMM Configuration Manager scripts to Configuration Manager as an application, use the following process: diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md index bb250ba302..e4f3b0a922 100644 --- a/devices/surface/windows-autopilot-and-surface-devices.md +++ b/devices/surface/windows-autopilot-and-surface-devices.md @@ -18,7 +18,7 @@ Windows Autopilot is a cloud-based deployment technology available in Windows 10 With Surface devices, you can choose to register your devices at the time of purchase when purchasing from a Surface partner enabled for Windows Autopilot. New devices can be shipped directly to your end-users and will be automatically enrolled and configured when the units are unboxed and turned on for the first time. This process can eliminate need to reimage your devices as part of your deployment process, reducing the work required of your deployment staff and opening up new, agile methods for device management and distribution. -In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library. +In this article learn how to enroll your Surface devices in Windows Autopilot with a Surface partner and the options and considerations you will need to know along the way. This article focuses specifically on Surface devices, for more information about using Windows Autopilot with other devices, or to read more about Windows Autopilot and its capabilities, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot) in the Windows Docs Library. ## Prerequisites Enrollment of Surface devices in Windows Autopilot with a Surface partner enabled for Windows Autopilot has the following licensing requirements for each enrolled Surface device: diff --git a/education/docfx.json b/education/docfx.json index c01be28758..227546b56a 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index 97ddde85fb..0110254868 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -2,8 +2,7 @@ title: Change history for Microsoft Education Get Started description: New and changed topics in the Microsoft Education get started guide. keywords: Microsoft Education get started guide, IT admin, IT pro, school, education, change history -ms.prod: w10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/get-started/configure-microsoft-store-for-education.md b/education/get-started/configure-microsoft-store-for-education.md index caf9b51520..6da930b66d 100644 --- a/education/get-started/configure-microsoft-store-for-education.md +++ b/education/get-started/configure-microsoft-store-for-education.md @@ -3,7 +3,6 @@ title: Configure Microsoft Store for Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/enable-microsoft-teams.md b/education/get-started/enable-microsoft-teams.md index bab1e61628..5d3af7dc3d 100644 --- a/education/get-started/enable-microsoft-teams.md +++ b/education/get-started/enable-microsoft-teams.md @@ -3,7 +3,6 @@ title: Enable Microsoft Teams for your school description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/finish-setup-and-other-tasks.md b/education/get-started/finish-setup-and-other-tasks.md index b15394f6ac..120b357bc2 100644 --- a/education/get-started/finish-setup-and-other-tasks.md +++ b/education/get-started/finish-setup-and-other-tasks.md @@ -3,7 +3,6 @@ title: Finish Windows 10 device setup and other tasks description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index 39dad1f8e4..6df81f8b27 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -3,7 +3,6 @@ title: Deploy and manage a full cloud IT solution with Microsoft Education description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: hero-article diff --git a/education/get-started/set-up-office365-edu-tenant.md b/education/get-started/set-up-office365-edu-tenant.md index 82ee6a90cd..01a5f5b4a9 100644 --- a/education/get-started/set-up-office365-edu-tenant.md +++ b/education/get-started/set-up-office365-edu-tenant.md @@ -3,7 +3,6 @@ title: Set up an Office 365 Education tenant description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-10-education-devices.md b/education/get-started/set-up-windows-10-education-devices.md index 5b79384b77..a62a0e282d 100644 --- a/education/get-started/set-up-windows-10-education-devices.md +++ b/education/get-started/set-up-windows-10-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 education devices description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/set-up-windows-education-devices.md b/education/get-started/set-up-windows-education-devices.md index ba8630edd9..e1f8ef557e 100644 --- a/education/get-started/set-up-windows-education-devices.md +++ b/education/get-started/set-up-windows-education-devices.md @@ -3,7 +3,6 @@ title: Set up Windows 10 devices using Windows OOBE description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-intune-for-education.md b/education/get-started/use-intune-for-education.md index baef903733..d1ab32cfa9 100644 --- a/education/get-started/use-intune-for-education.md +++ b/education/get-started/use-intune-for-education.md @@ -3,7 +3,6 @@ title: Use Intune for Education to manage groups, apps, and settings description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/get-started/use-school-data-sync.md b/education/get-started/use-school-data-sync.md index f880134137..f2bcfb50f9 100644 --- a/education/get-started/use-school-data-sync.md +++ b/education/get-started/use-school-data-sync.md @@ -3,7 +3,6 @@ title: Use School Data Sync to import student data description: Learn how to use the new Microsoft Education system to set up a cloud infrastructure for your school, acquire devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, School Data Sync, Microsoft Teams, Microsoft Store for Education, Azure AD, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started diff --git a/education/images/M365-education.svg b/education/images/M365-education.svg index 7f83629296..9591f90f68 100644 --- a/education/images/M365-education.svg +++ b/education/images/M365-education.svg @@ -1,4 +1,4 @@ - +

@@ -25,13 +26,13 @@ ms.date: 10/30/2017
  • - +
    - +
    @@ -50,7 +51,7 @@ ms.date: 10/30/2017
    - +
    @@ -71,7 +72,7 @@ ms.date: 10/30/2017
    - +
    diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md index 3eb30e45f8..0861f90f74 100644 --- a/education/trial-in-a-box/educator-tib-get-started.md +++ b/education/trial-in-a-box/educator-tib-get-started.md @@ -3,7 +3,6 @@ title: Educator Trial in a Box Guide description: Need help or have a question about using Microsoft Education? Start here. keywords: support, troubleshooting, education, Microsoft Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article @@ -162,7 +161,7 @@ Use video to create a project summary. 1. Check you have the latest version of Microsoft Photos. Open the **Start** menu and search for **Store**. Select the **See more** button (**…**) and select **Downloads and updates**. Select **Get updates**. -2. Open Microsoft Edge and visit http://aka.ms/PhotosTIB to download a zip file of the project media. +2. Open Microsoft Edge and visit https://aka.ms/PhotosTIB to download a zip file of the project media. 3. Once the download has completed, open the zip file and select **Extract** > **Extract all**. Select **Browse** and choose the **Pictures** folder as the destination, and then select **Extract**. @@ -284,7 +283,7 @@ To get started: ![Select add page button](images/plus-page.png) -4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices. +4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices. To solve the equation 3x+4=7, follow these instructions: 1. Write the equation 3x+4=7 in ink using the pen or type it in as text. @@ -331,9 +330,9 @@ Microsoft Education works hard to bring you the most current Trial in a Box prog For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles: -- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games) +- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/help/4026259/microsoft-store-check-updates-for-apps-and-games) -- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates) +- [Turn on automatic app updates](https://support.microsoft.com/help/15081/windows-turn-on-automatic-app-updates) ## Get more info * Learn more at microsoft.com/education diff --git a/education/trial-in-a-box/images/it-admin1.svg b/education/trial-in-a-box/images/it-admin1.svg index f69dc4d324..695337f601 100644 --- a/education/trial-in-a-box/images/it-admin1.svg +++ b/education/trial-in-a-box/images/it-admin1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student1.svg b/education/trial-in-a-box/images/student1.svg index 832a1214ae..25c267bae9 100644 --- a/education/trial-in-a-box/images/student1.svg +++ b/education/trial-in-a-box/images/student1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/student2.svg b/education/trial-in-a-box/images/student2.svg index 6566eab49b..5d473d1baf 100644 --- a/education/trial-in-a-box/images/student2.svg +++ b/education/trial-in-a-box/images/student2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher1.svg b/education/trial-in-a-box/images/teacher1.svg index 7db5c7dd32..00feb1e22a 100644 --- a/education/trial-in-a-box/images/teacher1.svg +++ b/education/trial-in-a-box/images/teacher1.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/images/teacher2.svg b/education/trial-in-a-box/images/teacher2.svg index e4f1cd4b74..592c516120 100644 --- a/education/trial-in-a-box/images/teacher2.svg +++ b/education/trial-in-a-box/images/teacher2.svg @@ -1,8 +1,8 @@ - + - diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md index 4a891bb989..c91f1c0264 100644 --- a/education/trial-in-a-box/index.md +++ b/education/trial-in-a-box/index.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box description: For IT admins, educators, and students, discover what you can do with Microsoft 365 Education. Try it out with our Trial in a Box program. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, IT admin, educator, student, explore, Trial in a Box ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md index 4e15edb03d..49d37afbff 100644 --- a/education/trial-in-a-box/itadmin-tib-get-started.md +++ b/education/trial-in-a-box/itadmin-tib-get-started.md @@ -3,7 +3,6 @@ title: IT Admin Trial in a Box Guide description: Try out Microsoft 365 Education to implement a full cloud infrastructure for your school, manage devices and apps, and configure and deploy policies to your Windows 10 devices. keywords: education, Microsoft 365 Education, trial, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: get-started @@ -59,7 +58,7 @@ To try out the IT admin tasks, start by logging in as an IT admin. ## 2. Configure Device B with Set up School PCs Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**. -If you've previously used Set up School PCs to provision student devices, you can follow the instructions in this section to quickly configure **Device B**. Otherwise, we recommend you follow the instructions in [Use the Set up School PCs app](https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app) for more detailed information, including tips for successfully running Set up School PCs. +If you've previously used Set up School PCs to provision student devices, you can follow the instructions in this section to quickly configure **Device B**. Otherwise, we recommend you follow the instructions in [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for more detailed information, including tips for successfully running Set up School PCs. ### Download, install, and get ready @@ -102,7 +101,7 @@ If you've previously used Set up School PCs to provision student devices, you ca - Set up School PCs will change some account management logic so that it sets the expiration time for an account to 180 days (without requiring sign-in). - This setting also increases the maximum storage to 100% of the available disk space. This prevents the student's account from being erased if the student stores a lot of files or data or if the student doesn't use the PC over a prolonged period. - **Let guests sign-in to these PCs** allows guests to use student PCs without a school account. If you select this option, a **Guest** account button will be added in the PC's sign-in screen to allow anyone to use the PC. - - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/en-us/education/windows/autopilot-reset). + - **Enable Windows 10 Autopilot Reset** enables IT admins to quickly remove personal files, apps, and settings, and reset Windows 10 devices from the lock screen any time and apply original settings and management enrollment the student PC is returned to a fully configured or known approved state. For more info, see [Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). - **Lock screen background** shows the default backgroudn used for student PCs provisioned by Set up School PCs. Select **Browse** to change the default. 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test. @@ -245,7 +244,7 @@ Update settings for all devices in your tenant by adding the **Documents** and * ## Verify correct device setup and other IT admin tasks Follow these instructions to confirm if you configured your tenant correctly and the right apps and settings were applied to all users or devices on your tenant: -* [Verify correct device setup](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#verify-correct-device-setup) +* [Verify correct device setup](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#verify-correct-device-setup) 1. Confirm that the apps you bought from the Microsoft Store for Education appear in the Windows Start screen's **Recently added** section. @@ -255,13 +254,13 @@ Follow these instructions to confirm if you configured your tenant correctly and 2. Confirm that the folders you added, if you chose to customize the Windows interface from Intune for Education, appear in the Start menu. 3. If you added **Office 365 for Windows 10 S (Education Preview)** to the package and provisioned **Device B** with it, you need to click on one of the Office apps in the **Start** menu to complete app registration. -* [Verify the device is Azure AD joined](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#verify-the-device-is-azure-ad-joined) - Confirm that your devices are being managed in Intune for Education. -* [Add more users](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#add-more-users) - Go to the Office 365 admin center to add more users. +* [Verify the device is Azure AD joined](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#verify-the-device-is-azure-ad-joined) - Confirm that your devices are being managed in Intune for Education. +* [Add more users](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#add-more-users) - Go to the Office 365 admin center to add more users. * Get app updates (including updates for Office 365 for Windows 10 S) 1. Open the **Start** menu and go to the **Microsoft Store**. 2. From the **Microsoft Store**, click **...** (See more) and select **Downloads and updates**. 3. In the **Downloads and updates** page, click **Get updates**. -* [Try the BYOD scenario](https://docs.microsoft.com/en-us/education/get-started/finish-setup-and-other-tasks#connect-other-devices-to-your-cloud-infrastructure) +* [Try the BYOD scenario](https://docs.microsoft.com/education/get-started/finish-setup-and-other-tasks#connect-other-devices-to-your-cloud-infrastructure) ## Update your apps @@ -269,9 +268,9 @@ Microsoft Education works hard to bring you the most current Trial in a Box prog For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles: -- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games) +- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/help/4026259/microsoft-store-check-updates-for-apps-and-games) -- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates) +- [Turn on automatic app updates](https://support.microsoft.com/help/15081/windows-turn-on-automatic-app-updates) ## Get more info diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md index 20bca6a920..cc82641391 100644 --- a/education/trial-in-a-box/support-options.md +++ b/education/trial-in-a-box/support-options.md @@ -3,7 +3,6 @@ title: Microsoft Education Trial in a Box Support description: Need help or have a question about using Microsoft Education Trial in a Box? Start here. keywords: support, troubleshooting, education, Microsoft 365 Education, full cloud IT solution, school, deploy, setup, manage, Windows 10, Intune for Education, Office 365 for Education, Microsoft Store for Education, Set up School PCs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.topic: article @@ -24,9 +23,9 @@ Microsoft Education works hard to bring you the most current Trial in a Box prog For more information about checking for updates, and how to optionally turn on automatic app updates, see the following articles: -- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/en-us/help/4026259/microsoft-store-check-updates-for-apps-and-games) +- [Check updates for apps and games from Microsoft Store](https://support.microsoft.com/help/4026259/microsoft-store-check-updates-for-apps-and-games) -- [Turn on automatic app updates](https://support.microsoft.com/en-us/help/15081/windows-turn-on-automatic-app-updates) +- [Turn on automatic app updates](https://support.microsoft.com/help/15081/windows-turn-on-automatic-app-updates) ## 2. Confirm your admin contact information is current diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 533981750f..1729553e5c 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -3,6 +3,7 @@ ## [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) ## [Deployment recommendations for school IT administrators](edu-deployment-recommendations.md) ## [Set up Windows devices for education](set-up-windows-10.md) +### [What's new in Set up School PCs](set-up-school-pcs-whats-new.md) ### [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md) #### [Azure AD Join for school PCs](set-up-school-pcs-azure-ad-join.md) #### [Shared PC mode for school devices](set-up-school-pcs-shared-pc-mode.md) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 8a5441c5cc..3ab4c50a66 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -3,7 +3,6 @@ title: Reset devices with Autopilot Reset description: Gives an overview of Autopilot Reset and how you can enable and use it in your schools. keywords: Autopilot Reset, Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index c14ad21e17..4185c9baae 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -3,7 +3,6 @@ title: Change history for Windows 10 for Education (Windows 10) description: New and changed topics in Windows 10 for Education keywords: Windows 10 education documentation, change history ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu @@ -143,5 +142,5 @@ The topics in this library have been updated for Windows 10, version 1607 (also | [Use the Set up School PCs app (Preview)](use-set-up-school-pcs-app.md) | New. Learn how the Set up School PCs app works and how to use it. | | [Set up School PCs app technical reference (Preview)](set-up-school-pcs-technical.md) | New. Describes the changes that the Set up School PCs app makes to a PC. | | [Take tests in Windows 10 (Preview)](take-tests-in-windows-10.md)
    [Set up Take a Test on a single PC (Preview)](take-a-test-single-pc.md)
    [Set up Take a Test on multiple PCs (Preview)](take-a-test-multiple-pcs.md)
    [Take a Test app technical reference (Preview)](take-a-test-app-technical.md) | New. Learn how to set up and use the Take a Test app. | -| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in November 2015 | -| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/en-us/itpro/windows/plan/index) library, originally published in May 2016 | +| [Chromebook migration guide](chromebook-migration-guide.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/plan/index) library, originally published in November 2015 | +| [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) | Moved from [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/plan/index) library, originally published in May 2016 | diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index 5a4b583f7b..58dcd89d1e 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -3,13 +3,12 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. keywords: change, free change, Windows 10 Pro to Windows 10 Pro Education, Windows 10 Pro to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: MikeBlodge -ms.author: MikeBlodge +ms.author: jaimeo ms.date: 04/30/2018 --- @@ -17,7 +16,7 @@ ms.date: 04/30/2018 Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. If you have an education tenant and use devices with Windows 10 Pro, global administrators can opt-in to a free change to Windows 10 Pro Education depending on your scenario. -- [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](https://docs.microsoft.com/en-us/education/windows/s-mode-switch-to-edu) +- [Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode](https://docs.microsoft.com/education/windows/s-mode-switch-to-edu) To take advantage of this offering, make sure you meet the [requirements for changing](#requirements-for-changing). For academic customers who are eligible to change to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. @@ -78,7 +77,7 @@ You can use Windows Configuration Designer to create a provisioning package that 3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education. - For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain). + For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain). ### Change using the Activation page @@ -303,7 +302,7 @@ You need to synchronize these identities so that users will have a *single ident ![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) For more information about integrating on-premises AD DS domains with Azure AD, see these resources: -- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ## Related topics diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 5ca42d662f..e981deb743 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,7 +4,6 @@ description: In this guide you will learn how to migrate a Google Chromebook-bas ms.assetid: 7A1FA48A-C44A-4F59-B895-86D4D77F8BEA keywords: migrate, automate, device, Chromebook migration ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu, devices diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 073496a0bb..9d1acc0a3c 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -5,7 +5,6 @@ keywords: Windows 10 deployment, recommendations, privacy settings, school, educ ms.mktglfcycl: plan ms.sitesec: library ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.localizationpriority: medium author: CelesteDG @@ -19,7 +18,7 @@ ms.date: 08/31/2017 - Windows 10 -Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). +Privacy is important to us, we want to provide you with ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, for usage with [education editions of Windows 10](windows-editions-for-education-customers.md) in education environments. These features work on all Windows 10 editions, but education editions of Windows 10 have the settings preconfigured. We recommend that all Windows 10 devices in an education setting be configured with **[SetEduPolicies](https://docs.microsoft.com/education/windows/configure-windows-for-education#setedupolicies)** enabled. See the following table for more information. To learn more about Microsoft's commitment to privacy, see [Windows 10 and privacy](https://go.microsoft.com/fwlink/?LinkId=809305). We want all students to have the chance to use the apps they need for success in the classroom and all school personnel to have apps they need for their job. Students and school personnel who use assistive technology apps not available in the Microsoft Store for Education, and use devices running Windows 10 S, will be able to configure the device at no additional charge to Windows 10 Pro Education. To learn more about the steps to configure this, see [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md). @@ -27,12 +26,12 @@ In Windows 10, version 1703 (Creators Update), it is straightforward to configur | Area | How to configure | What this does | Windows 10 Education | Windows 10 Pro Education | Windows 10 S | | --- | --- | --- | --- | --- | --- | -| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set | +| **Diagnostic Data** | **AllowTelemetry** | Sets Diagnostic Data to [Basic](https://docs.microsoft.com/windows/configuration/configure-windows-telemetry-in-your-organization) | This is already set | This is already set | The policy must be set | | **Microsoft consumer experiences** | **SetEduPolicies** | Disables suggested content from Windows such as app recommendations | This is already set | This is already set | The policy must be set | | **Cortana** | **AllowCortana** | Disables Cortana

    * Cortana is enabled by default on all editions in Windows 10, version 1703 | If using Windows 10 Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

    See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | If using Windows 10 Pro Education, upgrading from Windows 10, version 1607 to Windows 10, version 1703 will enable Cortana.

    See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | See the [Recommended configuration](#recommended-configuration) section below for recommended Cortana settings. | | **Safe search** | **SetEduPolicies** | Locks Bing safe search to Strict in Microsoft Edge | This is already set | This is already set | The policy must be set | | **Bing search advertising** | Ad free search with Bing | Disables ads when searching the internet with Bing in Microsoft Edge | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | Depending on your specific requirements, there are different ways to configure this as detailed in [Ad-free search with Bing](#ad-free-search-with-bing) | -| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

    * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/en-us/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | +| **Apps** | **SetEduPolicies** | Preinstalled apps like Microsoft Edge, Movies & TV, Groove, and Skype become education ready

    * Any app can detect Windows is running in an education ready configuration through [IsEducationEnvironment](https://docs.microsoft.com/uwp/api/windows.system.profile.educationsettings) | This is already set | This is already set | The policy must be set | ## Recommended configuration @@ -49,7 +48,7 @@ It is easy to be education ready when using Microsoft products. We recommend the 3. On PCs running Windows 10, version 1703: 1. Provision the PC using one of these methods: * [Provision PCs with the Set up School PCs app](use-set-up-school-pcs-app.md) - This will automatically set both **SetEduPolicies** to True and **AllowCortana** to False. - * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False. + * [Provision PCs with a custom package created with Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package) - Make sure to set both **SetEduPolicies** to True and **AllowCortana** to False. 2. Join the PC to Azure Active Directory. * Use Set up School PCs or Windows Configuration Designer to bulk enroll to Azure AD. * Manually Azure AD join the PC during the Windows device setup experience. @@ -73,7 +72,7 @@ You can configure Windows through provisioning or management tools including ind You can set all the education compliance areas through both provisioning and management tools. Additionally, these Microsoft education tools will ensure PCs that you set up are education ready: - [Set up School PCs](use-set-up-school-pcs-app.md) -- [Intune for Education](https://docs.microsoft.com/en-us/intune-education/available-settings) +- [Intune for Education](https://docs.microsoft.com/intune-education/available-settings) ## AllowCortana **AllowCortana** is a policy that enables or disables Cortana. It is a policy node in the Policy configuration service provider, [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana). @@ -102,13 +101,13 @@ Set **Computer Configuration > Administrative Templates > Windows Components > S ### Provisioning tools - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. -- [Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package) +- [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package) - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**. ![Set AllowCortana to No in Windows Configuration Designer](images/allowcortana_wcd.png) ## SetEduPolicies -**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/sharedpc-csp). +**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/sharedpc-csp). Use one of these methods to set this policy. @@ -125,7 +124,7 @@ Use one of these methods to set this policy. ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png) ### Group Policy -**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/en-us/library/windows/desktop/mt779129(v=vs.85).aspx). +**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224(v=vs.85).aspx) to set the policy in [MDM SharedPC](https://msdn.microsoft.com/library/windows/desktop/mt779129(v=vs.85).aspx). For example: @@ -143,13 +142,13 @@ For example: ### Provisioning tools - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates. -- [Windows Configuration Designer](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package) +- [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package) - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**. ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png) ## Ad-free search with Bing -Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at http://www.bing.com/classroom/about-us. +Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. Additional information is available at https://www.bing.com/classroom/about-us. > [!NOTE] > If you enable the guest account in shared PC mode, students using the guest account will not have an ad-free experience searching with Bing in Microsoft Edge unless the PC is connected to your school network and your school network has been configured as described in [IP registration for entire school network using Microsoft Edge](#ip-registration-for-entire-school-network-using-microsoft-edge). diff --git a/education/windows/create-tests-using-microsoft-forms.md b/education/windows/create-tests-using-microsoft-forms.md index 3b0c7b4e62..a5fdfd4970 100644 --- a/education/windows/create-tests-using-microsoft-forms.md +++ b/education/windows/create-tests-using-microsoft-forms.md @@ -2,8 +2,7 @@ title: Create tests using Microsoft Forms description: Learn how to use Microsoft Forms with the Take a Test app to prevent access to other computers or online resources while completing a test. keywords: school, Take a Test, Microsoft Forms -ms.prod: w10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index b2630531e9..b8897a3042 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school district (Windows 10) description: Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD), use System Center Configuration Manager, Intune, and Group Policy to manage devices. keywords: configure, tools, device, school district, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library @@ -63,8 +62,8 @@ This district configuration has the following characteristics: * You install the 64-bit version of the Microsoft Deployment Toolkit (MDT) 2013 Update 2 on the admin device. >**Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. * The devices use Azure AD in Office 365 Education for identity management. -* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). -* Use [Intune](https://docs.microsoft.com/en-us/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/en-us/library/cc725828.aspx) to manage devices. +* If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/). +* Use [Intune](https://docs.microsoft.com/intune/), [Mobile Device Management for Office 365](https://support.office.com/en-us/article/Set-up-Mobile-Device-Management-MDM-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy in AD DS](https://technet.microsoft.com/library/cc725828.aspx) to manage devices. * Each device supports a one-student-per-device or multiple-students-per-device scenario. * The devices can be a mixture of different make, model, and processor architecture (32-bit or 64-bit) or be identical. * To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment (PXE) boot. @@ -364,7 +363,7 @@ Record the configuration setting management methods you selected in Table 5. Alt #### Select the app and update management products -For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx), you still need to use System Center Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management. +For a district, there are many ways to manage apps and software updates. Table 6 lists the products that this guide describes and recommends. Although you could manage updates by using [Windows Updates or Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx), you still need to use System Center Configuration Manager or Intune to manage apps. Therefore, it only makes sense to use one or both of these tools for update management. Use the information in Table 6 to determine which combination of app and update management products is right for your district. @@ -505,7 +504,7 @@ When you install the Windows ADK on the admin device, select the following featu * Windows PE * USMT -For more information about installing the Windows ADK, see [Step 2-2: Install Windows ADK](https://technet.microsoft.com/en-us/library/dn781086.aspx#InstallWindowsADK). +For more information about installing the Windows ADK, see [Step 2-2: Install Windows ADK](https://technet.microsoft.com/library/dn781086.aspx#InstallWindowsADK). ### Install MDT @@ -514,7 +513,7 @@ You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 6 >**Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32-bit versions of the operating system. -For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT). +For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT). Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. @@ -522,7 +521,7 @@ Now, you’re ready to create the MDT deployment share and populate it with the MDT includes the Deployment Workbench, a graphical UI that you can use to manage MDT deployment shares. A *deployment share* is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT *deployment media*). -For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/en-us/library/dn781086.aspx#CreateMDTDeployShare). +For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/library/dn781086.aspx#CreateMDTDeployShare). ### Install the Configuration Manager console @@ -530,7 +529,7 @@ For more information about how to create a deployment share, see [Step 3-1: Crea You can use System Center Configuration Manager to manage Windows 10 deployments, Windows desktop apps, Microsoft Store apps, and software updates. To manage System Center Configuration Manager, you use the Configuration Manager console. You must install the Configuration Manager console on every device you use to manage System Center Configuration Manager (specifically, the admin device). The Configuration Manager console is automatically installed when you install System Center Configuration Manager primary site servers. -For more information about how to install the Configuration Manager console, see [Install System Center Configuration Manager consoles](https://technet.microsoft.com/en-us/library/mt590197.aspx#bkmk_InstallConsole). +For more information about how to install the Configuration Manager console, see [Install System Center Configuration Manager consoles](https://technet.microsoft.com/library/mt590197.aspx#bkmk_InstallConsole). ### Configure MDT integration with the Configuration Manager console @@ -540,7 +539,7 @@ You can use MDT with System Center Configuration Manager to make ZTI operating s In addition to the admin device, run the Configure ConfigMgr Integration Wizard on each device that runs the Configuration Manager console to ensure that all Configuration Manager console installation can use the power of MDT–System Center Configuration Manager integration. -For more information, see [Enable Configuration Manager Console Integration for Configuration Manager](https://technet.microsoft.com/en-us/library/dn759415.aspx#EnableConfigurationManagerConsoleIntegrationforConfigurationManager). +For more information, see [Enable Configuration Manager Console Integration for Configuration Manager](https://technet.microsoft.com/library/dn759415.aspx#EnableConfigurationManagerConsoleIntegrationforConfigurationManager). #### Summary @@ -571,7 +570,7 @@ Complete the following steps to select the appropriate Office 365 Education lice 3. Determine whether students or faculty need Azure Rights Management. - You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management Documentation](https://docs.microsoft.com/en-us/rights-management/). + You can use Azure Rights Management to protect classroom information against unauthorized access. Azure Rights Management protects your information inside or outside the classroom through encryption, identity, and authorization policies, securing your files and email. You can retain control of the information, even when it’s shared with people outside the classroom or your educational institution. Azure Rights Management is free to use with all Office 365 Education license plans. For more information, see [Azure Rights Management Documentation](https://docs.microsoft.com/rights-management/). 4. Record the Office 365 Education license plans needed for the classroom in Table 9. @@ -672,13 +671,13 @@ Although all new Office 365 Education subscriptions have automatic licensing ena When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory, the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD-integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. -Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). +Educational institutions can obtain Azure AD Basic edition licenses at no cost if they have a volume license agreement. After your institution obtains its licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). The following Azure AD Premium features are not in Azure AD Basic: * Allow designated users to manage group membership * Dynamic group membership based on user metadata -* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/en-us/documentation/articles/multi-factor-authentication/)) +* Azure multifactor authentication (MFA; see [What is Azure Multi-Factor Authentication](https://azure.microsoft.com/documentation/articles/multi-factor-authentication/)) * Identify cloud apps that your users run * Self-service recovery of BitLocker * Add local administrator accounts to Windows 10 devices @@ -691,8 +690,8 @@ You can sign up for Azure AD Premium, and then assign licenses to users. In this For more information about: -* Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). +* Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/). +* How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/library/azure/jj573650.aspx#create_tenant3). #### Summary @@ -709,7 +708,7 @@ Now that you have an Office 365 subscription, you must determine how you’ll cr In this method, you have an on-premises AD DS domain. As shown in Figure 5, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. ->**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx). +>**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx). ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD") @@ -762,7 +761,7 @@ You can deploy the Azure AD Connect tool: *Figure 8. Azure AD Connect in Azure* -This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx). +This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/library/dn635310.aspx). ### Deploy Azure AD Connect on premises @@ -770,13 +769,13 @@ In this synchronization model (illustrated in Figure 7), you run Azure AD Connec #### To deploy AD DS and Azure AD synchronization -1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). +1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-prerequisites/). 2. In the VM or on the physical device that will run Azure AD Connect, sign in with a domain administrator account. -3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). +3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). -4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). +4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure sync features](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#configure-sync-features). Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. @@ -823,8 +822,8 @@ Several methods are available to bulk-import user accounts into AD DS domains. T |Method |Description and reason to select this method | |-------|---------------------------------------------| -|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).| +|Ldifde.exe|This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript|This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).| |Windows PowerShell|This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).| *Table 12. AD DS bulk-import account methods* @@ -835,8 +834,8 @@ After you have selected your user and group account bulk import method, you’re |Method |Source file format | |-------|-------------------| -|Ldifde.exe |Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript |VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).| +|Ldifde.exe |Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript |VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).| |Windows PowerShell |Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). | *Table 13. Source file format for each bulk import method* @@ -849,8 +848,8 @@ With the bulk-import source file finished, you’re ready to import the user and For more information about how to import user accounts into AD DS by using: -* Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). -* VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx). +* Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). +* VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx). * Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). #### Summary @@ -1101,13 +1100,13 @@ The first step in preparing for Windows 10 deployment is to configure—that is,
    1. Import operating systems -Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). +Import the operating systems that you selected in the [Select the operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench).
    2. Import device drivers Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.


    -Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). +Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). @@ -1123,8 +1122,8 @@ Import device drivers for each device in your institution. For more information If you have Intune or System Center Configuration Manager, you can deploy Microsoft Store apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) and [Deploy and manage apps by using System Center Configuration Manager](#deploy-and-manage-apps-by-using-system-center-configuration-manager) sections. This method provides granular deployment of Microsoft Store apps, and you can use it for ongoing management of Microsoft Store apps. This is the preferred method of deploying and managing Microsoft Store apps.

    In addition, you must prepare your environment for sideloading Microsoft Store apps. For more information about how to:

      -
    • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](https://technet.microsoft.com/en-us/windows/jj874388.aspx).
      • -
    • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
      • +
    • Prepare your environment for sideloading, see [Try it out: sideload Microsoft Store apps](https://technet.microsoft.com/windows/jj874388.aspx).
      • +
    • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
    @@ -1133,12 +1132,12 @@ In addition, you must prepare your environment for sideloading Microsoft Store a 4. Create MDT applications for Windows desktop apps You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

    -To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx).

    +To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219423.aspx).

    If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

    **Note**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy and manage apps by using Intune](#deploy-and-manage-apps-by-using-intune) section. -For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx). +For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx). @@ -1152,7 +1151,7 @@ For more information about how to create an MDT application for Window desktop a
  • Upgrade existing devices to 64-bit Windows 10 Education.
  • Upgrade existing devices to 32-bit Windows 10 Education.
    • -
    Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). +
    Again, you will create the task sequences based on the operating systems that you imported in step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). @@ -1160,7 +1159,7 @@ For more information about how to create an MDT application for Window desktop a 6. Update the deployment share Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32-bit and 64-bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

    -For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). +For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). @@ -1179,30 +1178,30 @@ Before you can use System Center Configuration Manager to deploy Windows 10 and Deploying a new System Center Configuration Manager infrastructure is beyond the scope of this guide, but the following resources can help you deploy a new System Center Configuration Manager infrastructure: -* [Get ready for System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt608540.aspx) -* [Start using System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt608544.aspx) +* [Get ready for System Center Configuration Manager](https://technet.microsoft.com/library/mt608540.aspx) +* [Start using System Center Configuration Manager](https://technet.microsoft.com/library/mt608544.aspx) #### To configure an existing System Center Configuration Manager infrastructure for operating system deployment 1. Perform any necessary infrastructure remediation. - Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627936.aspx). + Ensure that your existing infrastructure can support the operating system deployment feature. For more information, see [Infrastructure requirements for operating system deployment in System Center Configuration Manager](https://technet.microsoft.com/library/mt627936.aspx). 2. Add the Windows PE boot images, Windows 10 operating systems, and other content. You need to add the Windows PE boot images, Windows 10 operating system images, and other deployment content that you will use to deploy Windows 10 with ZTI. To add this content, use the Create MDT Task Sequence Wizard. - You can add this content by using System Center Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). + You can add this content by using System Center Configuration Manager only (without MDT), but the Create MDT Task Sequence Wizard is the preferred method because the wizard prompts you for all the deployment content you need for a task sequence and provides a much more intuitive user experience. For more information, see [Create ZTI Task Sequences Using the Create MDT Task Sequence Wizard in Configuration Manager](https://technet.microsoft.com/library/dn759415.aspx#CreateZTITaskSequencesUsingtheCreateMDTTaskSequenceWizardinConfigurationManager). 3. Add device drivers. You must add device drivers for the different device types in your district. For example, if you have a mixture of Surface, HP Stream, Dell Inspiron, and Lenovo Yoga devices, then you must have the device drivers for each device. - Create a System Center Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627934.aspx). + Create a System Center Configuration Manager driver package for each device type in your district. For more information, see [Manage drivers in System Center Configuration Manager](https://technet.microsoft.com/library/mt627934.aspx). 4. Add Windows apps. Install the Windows apps (Windows desktop and Microsoft Store apps) that you want to deploy after the task sequence deploys your customized image (a thick, reference image that include Windows 10 and your core Windows desktop apps). These apps are in addition to the apps included in your reference image. You can only deploy Microsoft Store apps after you deploy Windows 10 because you cannot capture Microsoft Store apps in a reference image. Microsoft Store apps target users, not devices. - Create a System Center Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627959.aspx). + Create a System Center Configuration Manager application for each Windows desktop or Microsoft Store app that you want to deploy after you apply the reference image to a device. For more information, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959.aspx). ### Configure Window Deployment Services for MDT @@ -1218,13 +1217,13 @@ You can use Windows Deployment Services in conjunction with MDT to automatically * [Windows Deployment Services Overview](https://technet.microsoft.com/library/hh831764.aspx) * The Windows Deployment Services Help file, included in Windows Deployment Services - * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx) + * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) 2. Add LTI boot images (Windows PE images) to Windows Deployment Services. The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the deployment share’s Boot subfolder. - For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). + For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). ### Configure Window Deployment Services for System Center Configuration Manager @@ -1241,17 +1240,17 @@ You can use Windows Deployment Services in conjunction with System Center Config For more information about how to perform this step, see the following resources: * [Windows Deployment Services Overview](https://technet.microsoft.com/library/hh831764.aspx) * The Windows Deployment Services Help file, included in Windows Deployment Services - * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx) + * [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) 2. Configure a distribution point to accept PXE requests in System Center Configuration Manager. To support PXE boot requests, you install the PXE service point site system role. Then, you must configure one or more distribution points to respond to PXE boot request. - For more information about how to perform this step, see [Install site system roles for System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt704036.aspx), [Use PXE to deploy Windows over the network with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627940.aspx), and [Configuring distribution points to accept PXE requests](https://technet.microsoft.com/en-us/library/mt627944.aspx#BKMK_PXEDistributionPoint). + For more information about how to perform this step, see [Install site system roles for System Center Configuration Manager](https://technet.microsoft.com/library/mt704036.aspx), [Use PXE to deploy Windows over the network with System Center Configuration Manager](https://technet.microsoft.com/library/mt627940.aspx), and [Configuring distribution points to accept PXE requests](https://technet.microsoft.com/library/mt627944.aspx#BKMK_PXEDistributionPoint). 3. Configure the appropriate boot images (Windows PE images) to deploy from the PXE-enabled distribution point. Before a device can start a boot image from a PXE-enabled distribution point, you must change the properties of the boot image to enable PXE booting. Typically, you create this boot image when you created your MDT task sequence in the Configuration Manager console. - For more information about how to perform this step, see [Configure a boot image to deploy from a PXE-enabled distribution point](https://technet.microsoft.com/en-us/library/mt627946.aspx#BKMK_BootImagePXE) and [Manage boot images with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627946.aspx). + For more information about how to perform this step, see [Configure a boot image to deploy from a PXE-enabled distribution point](https://technet.microsoft.com/library/mt627946.aspx#BKMK_BootImagePXE) and [Manage boot images with System Center Configuration Manager](https://technet.microsoft.com/library/mt627946.aspx). #### Summary @@ -1277,27 +1276,27 @@ You initially configured the MDT deployment share in the [Configure the MDT depl A task sequence can deploy only one Windows 10 edition or version, which means that you must create a task sequence for each Windows 10 edition and version you selected in the [Select the operating systems](#select-the-operating-systems) section earlier in this guide. To create task sequences, use the New Task Sequence Wizard. - For more information, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). + For more information, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). 2. Create an MDT application for each desktop app you want to include in your reference image. - You create MDT applications by using the New Application Wizard in the Deployment Workbench. As part of creating the MDT application, specify the command-line parameters used to install the app without user intervention (unattended installation). For more information, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). + You create MDT applications by using the New Application Wizard in the Deployment Workbench. As part of creating the MDT application, specify the command-line parameters used to install the app without user intervention (unattended installation). For more information, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). 3. Customize the task sequence to install the MDT applications that you created in step 2. You can add an **Install Application** task sequence step to your task sequence. Then, you can customize the **Install Application** task sequence step to install a specific app, which automatically installs the app with no user interaction required when your run the task sequence. - You need to add an **Install Application** task sequence step for each app you want to include in your reference image. For more information, see [Customize Application Installation in Task Sequences](https://technet.microsoft.com/en-us/library/dn759415.aspx#CustomizeApplicationInstallationinTaskSequences). + You need to add an **Install Application** task sequence step for each app you want to include in your reference image. For more information, see [Customize Application Installation in Task Sequences](https://technet.microsoft.com/library/dn759415.aspx#CustomizeApplicationInstallationinTaskSequences). 4. Create a selection profile that contains the drivers for the device. A *selection profile* lets you select specific device drivers. For example, if you want to deploy the device drivers for a Surface Pro 4 device, you can create a selection profile that contains only the Surface Pro 4 device drivers. First, in the Out-of-Box Drivers node in the Deployment Workbench, create a folder that will contain your device drivers. Next, import the device drivers into the folder you just created. Finally, create the selection profile and specify the folder that contains the device drivers. For more information, see the following resources: - * [Create Folders to Organize Device Drivers for LTI Deployments](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateFolderstoOrganizeDeviceDriversforLTIDeployments) - * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments) + * [Create Folders to Organize Device Drivers for LTI Deployments](https://technet.microsoft.com/library/dn759415.aspx#CreateFolderstoOrganizeDeviceDriversforLTIDeployments) + * [Create Selection Profiles to Select the Device Drivers for LTI Deployments](https://technet.microsoft.com/library/dn759415.aspx#CreateSelectionProfilestoSelecttheDeviceDriversforLTIDeployments) 5. Customize the task sequence to use the selection profile that you created in step 4. - You can customize the **Inject Driver** task sequence step in the **Preinstall** task sequence group in your task sequence to deploy only the device drivers in the selection profile. For more information, see [Configure Task Sequences to Deploy Device Drivers in Selection Profiles for LTI Deployments](https://technet.microsoft.com/en-us/library/dn759415.aspx#ConfigureTaskSequencestoDeployDeviceDriversinSelectionProfilesforLTIDeployments). + You can customize the **Inject Driver** task sequence step in the **Preinstall** task sequence group in your task sequence to deploy only the device drivers in the selection profile. For more information, see [Configure Task Sequences to Deploy Device Drivers in Selection Profiles for LTI Deployments](https://technet.microsoft.com/library/dn759415.aspx#ConfigureTaskSequencestoDeployDeviceDriversinSelectionProfilesforLTIDeployments). ### Capture reference image @@ -1305,7 +1304,7 @@ To capture the reference image, run the LTI task sequence that you created in th Use the Deployment Wizard to deploy Windows 10, your apps, and device drivers to the device, and then capture the .wim file. The LTI deployment process is almost fully automated: you provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. ->**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section of [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx#Anchor_6). +>**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section of [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/library/dn781089.aspx#Anchor_6). In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. @@ -1313,7 +1312,7 @@ In most instances, deployments occur without incident. Only in rare occasions do 1. **Initiate the LTI deployment process.** Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. -2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Anchor_5). +2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/library/dn759415.aspx#Anchor_5). ### Import reference image @@ -1323,8 +1322,8 @@ Both the Deployment Workbench and the Configuration Manager console have wizards For more information about how to import the reference image into: -* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportaPreviouslyCapturedImageofaReferenceComputer). -* System Center Configuration Manager, see [Manage operating system images with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627939.aspx) and [Customize operating system images with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627938.aspx). +* An MDT deployment share, see [Import a Previously Captured Image of a Reference Computer](https://technet.microsoft.com/library/dn759415.aspx#ImportaPreviouslyCapturedImageofaReferenceComputer). +* System Center Configuration Manager, see [Manage operating system images with System Center Configuration Manager](https://technet.microsoft.com/library/mt627939.aspx) and [Customize operating system images with System Center Configuration Manager](https://technet.microsoft.com/library/mt627938.aspx). ### Create a task sequence to deploy the reference image @@ -1334,8 +1333,8 @@ As you might expect, both the Deployment Workbench and the Configuration Manager For more information about how to create a task sequence in the: -* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). -* Configuration Manager console, see [Create a task sequence to install an operating system in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627927.aspx). +* Deployment Workbench for a deployment share, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). +* Configuration Manager console, see [Create a task sequence to install an operating system in System Center Configuration Manager](https://technet.microsoft.com/library/mt627927.aspx). ####Summary In this section, you customized the MDT deployment share to deploy Windows 10 and desktop apps to one or more reference devices by creating and customizing MDT applications, device drivers, and applications. Next, you ran the task sequence, which deploys Windows 10, deploys your apps, deploys the appropriate device drivers, and captures an image of the reference device. Then, you imported the captured reference image into a deployment share or System Center Configuration Manager. Finally, you created a task sequence to deploy your captured reference image to faculty and student devices. At this point in the process, you’re ready to deploy Windows 10 and your apps to your devices. @@ -1374,7 +1373,7 @@ Use the information in Table 17 to help you determine whether you need to config You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

    **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

    -**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.

    +**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/library/jj966262.aspx) Group Policy setting to use the **Users can’t add Microsoft accounts** setting option.

    **Intune.** To enable or disable the use of Microsoft accounts, use the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. @@ -1392,7 +1391,7 @@ Use the information in Table 17 to help you determine whether you need to config Manage the built-in administrator account created during device deployment When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and (optionally) disable it.

    -**Group Policy.** To rename the built-in Administrator account, use the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).

    +**Group Policy.** To rename the built-in Administrator account, use the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/library/cc747484.aspx). You specify the new name for the Administrator account. To disable the built-in Administrator account, use the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/library/jj852165.aspx).

    **Intune.** Not available. @@ -1401,7 +1400,7 @@ Use the information in Table 17 to help you determine whether you need to config Control Microsoft Store access You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

    -**Group Policy.** To disable the Microsoft Store app, use the **Turn off the Store Application** group policy setting. To prevent Microsoft Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).

    +**Group Policy.** To disable the Microsoft Store app, use the **Turn off the Store Application** group policy setting. To prevent Microsoft Store apps from receiving updates, use the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/library/hh832040.aspx#BKMK_UseGP).

    **Intune.** To enable or disable Microsoft Store access, use the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration policy**. @@ -1429,7 +1428,7 @@ Use the information in Table 17 to help you determine whether you need to config Use of audio recording Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

    -**Group Policy.** To disable the Sound Recorder app, use the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894.aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).

    +**Group Policy.** To disable the Sound Recorder app, use the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. To create AppLocker policies, use the information in [Editing an AppLocker Policy](https://technet.microsoft.com/library/ee791894.aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/library/ee791899.aspx).

    **Intune.** To enable or disable audio recording, use the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. @@ -1471,31 +1470,31 @@ Use the information in Table 17 to help you determine whether you need to config Now, you’re ready to use Group Policy to configure settings. The steps in this section assume that you have an AD DS infrastructure. Here, you configure the Group Policy settings you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. -For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx). +For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/library/cc754948.aspx). #### To configure Group Policy settings -1. Create a Group Policy object (GPO) to contain your Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx). +1. Create a Group Policy object (GPO) to contain your Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/library/cc738830.aspx). -2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx). +2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/library/cc739902.aspx). -3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954.aspx). +3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/library/cc738954.aspx). ### Configure settings by using Intune Now, you’re ready to use Intune to configure settings. The steps in this section assume that you have an Office 365 subscription. Here, you configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. -For more information about Intune, see [Microsoft Intune Documentation](https://docs.microsoft.com/en-us/intune/). +For more information about Intune, see [Microsoft Intune Documentation](https://docs.microsoft.com/intune/). #### To configure Intune settings -1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4). +1. Add Intune to your Office 365 subscription by completing the steps in [Manage Intune licenses](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4). -2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune). +2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/get-ready-to-enroll-devices-in-microsoft-intune). -3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/en-us/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). +3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://docs.microsoft.com/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies). -4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/manage-windows-pcs-with-microsoft-intune). +4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-windows-pcs-with-microsoft-intune). ### Deploy and manage apps by using Intune @@ -1505,11 +1504,11 @@ You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune pr For more information about how to configure Intune to manage your apps, see the following resources: -- [Add apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/add-apps) -- [Deploy apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/deploy-apps) -- [Update apps using Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/update-apps-using-microsoft-intune) -- [Protect apps and data with Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/protect-apps-and-data-with-microsoft-intune) -- [Help protect your data with full or selective wipe using Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune) +- [Add apps with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps) +- [Deploy apps with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/deploy-apps) +- [Update apps using Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/update-apps-using-microsoft-intune) +- [Protect apps and data with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/protect-apps-and-data-with-microsoft-intune) +- [Help protect your data with full or selective wipe using Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune) ### Deploy and manage apps by using System Center Configuration Manager @@ -1521,7 +1520,7 @@ For example, you could create a Skype application that contains a deployment typ System Center Configuration Manager helps you manage apps by monitoring app installation. You can determine how many of your devices have a specific app installed. Finally, you can allow users to install apps at their discretion or make apps mandatory. -For more information about how to configure System Center Configuration Manager to deploy and manage your apps, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt627959.aspx). +For more information about how to configure System Center Configuration Manager to deploy and manage your apps, see [Deploy and manage applications with System Center Configuration Manager](https://technet.microsoft.com/library/mt627959.aspx). ### Manage updates by using Intune @@ -1533,8 +1532,8 @@ To help ensure that your users have the most current features and security prote For more information about how to configure Intune to manage updates and malware protection, see the following resources: -- [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune) -- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) +- [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) ### Manage updates by using System Center Configuration Manager @@ -1544,7 +1543,7 @@ You configure the software updates feature to manage updates for specific versio >**Note**  When you configure System Center Configuration Manager and Intune in a hybrid model, you use System Center Configuration manager to manage updates as described in this section. -For more information about how to configure System Center Configuration Manager to manage Windows 10 and app updates, see [Deploy and manage software updates in System Center Configuration Manager](https://technet.microsoft.com/en-us/library/mt634340.aspx). +For more information about how to configure System Center Configuration Manager to manage Windows 10 and app updates, see [Deploy and manage software updates in System Center Configuration Manager](https://technet.microsoft.com/library/mt634340.aspx). #### Summary @@ -1571,7 +1570,7 @@ Prior to deployment of Windows 10, complete the tasks in Table 18. Most of these Use the Deployment Wizard to deploy Windows 10. With the LTI deployment process, you provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. ->**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx#Anchor_6). +>**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/library/dn781089.aspx#Anchor_6). In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. @@ -1580,7 +1579,7 @@ In most instances, deployments occur without incident. Only in rare occasions do 1. **Initiate the LTI deployment process.** Initiate the LTI deployment process by booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. -2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section of [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Anchor_5). +2. **Complete the Deployment Wizard.** For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” section of [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/library/dn759415.aspx#Anchor_5). #### To use ZTI to deploy Windows 10 @@ -1658,10 +1657,10 @@ Table 19 lists the school and individual classroom maintenance tasks, the resour Verify that Windows Update is active and current with operating system and software updates.

    For more information about completing this task when you have:
      -
    • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
      • +
    • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
    • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
      • -
    • WSUS, see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx).
      • -
    • Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in [Windows 10 help](https://support.microsoft.com/en-us/products/windows?os=windows-10).
      • +
    • WSUS, see [Windows Server Update Services](https://msdn.microsoft.com/library/bb332157.aspx).
      • +
    • Neither Intune, Group Policy, nor WSUS, see “Install, upgrade, & activate” in [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10).
    x @@ -1671,7 +1670,7 @@ For more information about completing this task when you have: Verify that Windows Defender is active and current with malware signatures.

    -For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/en-us/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02) and [Updating Windows Defender](https://support.microsoft.com/en-us/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03). +For more information about completing this task, see [Turn Windows Defender on or off](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab02) and [Updating Windows Defender](https://support.microsoft.com/instantanswers/742778f2-6aad-4a8d-8f5d-db59cebc4f24/how-to-protect-your-windows-10-pc#v1h=tab03). x x @@ -1680,7 +1679,7 @@ For more information about completing this task, see [Turn Windows Defender on o Verify that Windows Defender has run a scan in the past week and that no viruses or malware were found.

    -For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/en-us/help/17228/windows-protect-my-pc-from-viruses). +For more information about completing this task, see the “How do I find and remove a virus?” topic in [Protect my PC from viruses](https://support.microsoft.com/help/17228/windows-protect-my-pc-from-viruses). x x @@ -1846,13 +1845,13 @@ You have now identified the tasks you need to perform monthly, at the end of an ## Related topics -* [Try it out: Windows 10 deployment (for educational institutions)](https://technet.microsoft.com/en-us/windows/mt574244.aspx) -* [Try it out: Windows 10 in the classroom](https://technet.microsoft.com/en-us/windows/mt574243.aspx) +* [Try it out: Windows 10 deployment (for educational institutions)](https://technet.microsoft.com/windows/mt574244.aspx) +* [Try it out: Windows 10 in the classroom](https://technet.microsoft.com/windows/mt574243.aspx) * [Chromebook migration guide](https://technet.microsoft.com/edu/windows/chromebook-migration-guide) * [Deploy Windows 10 in a school](https://technet.microsoft.com/edu/windows/deploy-windows-10-in-a-school) -* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723345) -* [Deploy a custom Windows 10 Start menu layout for a school (video)](https://technet.microsoft.com/en-us/windows/mt723346) -* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723347) -* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/en-us/windows/mt723344) -* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/en-us/windows/mt723343) -* [Use Microsoft Store for Business in a school environment (video)](https://technet.microsoft.com/en-us/windows/mt723348) +* [Automate common Windows 10 deployment and configuration tasks for a school environment (video)](https://technet.microsoft.com/windows/mt723345) +* [Deploy a custom Windows 10 Start menu layout for a school (video)](https://technet.microsoft.com/windows/mt723346) +* [Manage Windows 10 updates and upgrades in a school environment (video)](https://technet.microsoft.com/windows/mt723347) +* [Reprovision devices at the end of the school year (video)](https://technet.microsoft.com/windows/mt723344) +* [Use MDT to deploy Windows 10 in a school (video)](https://technet.microsoft.com/windows/mt723343) +* [Use Microsoft Store for Business in a school environment (video)](https://technet.microsoft.com/windows/mt723348) diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index ac1eb3952d..d226f570db 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -3,7 +3,6 @@ title: Deploy Windows 10 in a school (Windows 10) description: Learn how to integrate your school environment with Microsoft Office 365, Active Directory Domain Services (AD DS), and Microsoft Azure Active Directory (Azure AD). Deploy Windows 10 and apps to new devices or upgrade existing devices to Windows 10. Manage faculty, students, and devices by using Microsoft Intune and Group Policy. keywords: configure, tools, device, school, deploy Windows 10 ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.pagetype: edu ms.sitesec: library @@ -56,8 +55,8 @@ This school configuration has the following characteristics: **Note**  In this guide, all references to MDT refer to the 64-bit version of MDT 2013 Update 2. - The devices use Azure AD in Office 365 Education for identity management. -- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/). -- Use [Intune](https://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](https://technet.microsoft.com/en-us/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. +- If you have on-premises AD DS, you can [integrate Azure AD with on-premises AD DS](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/). +- Use [Intune](https://technet.microsoft.com/library/jj676587.aspx), [compliance settings in Office 365](https://support.office.com/en-us/article/Manage-mobile-devices-in-Office-365-dd892318-bc44-4eb1-af00-9db5430be3cd?ui=en-US&rs=en-US&ad=US), or [Group Policy](https://technet.microsoft.com/library/cc725828%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396) in AD DS to manage devices. - Each device supports a one-student-per-device or multiple-students-per-device scenario. - The devices can be a mixture of different make, model, and processor architecture (32 bit or 64 bit) or be identical. - To initiate Windows 10 deployment, use a USB flash drive, DVD-ROM or CD-ROM, or Pre-Boot Execution Environment Boot (PXE Boot). @@ -136,7 +135,7 @@ When you install the Windows ADK on the admin device, select the following featu - Windows Preinstallation Environment (Windows PE) - User State Migration Tool (USMT) -For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](https://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). +For more information about installing the Windows ADK, see [Step 2-2: Install the Windows ADK](https://technet.microsoft.com/library/dn781086.aspx?f=255&MSPPError=-2147217396#InstallWindowsADK). ### Install MDT @@ -146,7 +145,7 @@ You can use MDT to deploy 32-bit or 64-bit versions of Windows 10. Install the 6 **Note**  If you install the 32-bit version of MDT, you can install only 32-bit versions of Windows 10. Ensure that you download and install the 64-bit version of MDT so that you can install 64-bit and 32 bit versions of the operating system. -For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/en-us/library/dn759415.aspx#InstallingaNewInstanceofMDT). +For more information about installing MDT on the admin device, see [Installing a New Instance of MDT](https://technet.microsoft.com/library/dn759415.aspx#InstallingaNewInstanceofMDT). Now, you’re ready to create the MDT deployment share and populate it with the operating system, apps, and device drivers you want to deploy to your devices. @@ -154,7 +153,7 @@ Now, you’re ready to create the MDT deployment share and populate it with the MDT includes the Deployment Workbench, a graphical user interface that you can use to manage MDT deployment shares. A deployment share is a shared folder that contains all the MDT deployment content. The LTI Deployment Wizard accesses the deployment content over the network or from a local copy of the deployment share (known as MDT deployment media). -For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/en-us/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). +For more information about how to create a deployment share, see [Step 3-1: Create an MDT Deployment Share](https://technet.microsoft.com/library/dn781086.aspx?f=255&MSPPError=-2147217396#CreateMDTDeployShare). ### Summary @@ -302,7 +301,7 @@ Although all new Office 365 Education subscriptions have automatic licensing ena When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. -Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). +Educational institutions can obtain Azure AD Basic edition licenses at no cost. After you obtain your licenses, activate your Azure AD access by completing the steps in [Step 3: Activate your Azure Active Directory access](https://azure.microsoft.com/documentation/articles/active-directory-get-started-premium/#step-3-activate-your-azure-active-directory-access). The Azure AD Premium features that are not in Azure AD Basic include: @@ -322,8 +321,8 @@ You can sign up for Azure AD Premium, and then assign licenses to users. In this For more information about: -- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). -- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/en-us/library/azure/jj573650.aspx#create_tenant3). +- Azure AD editions and the features in each, see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/). +- How to enable Azure AD premium, see [Associate an Azure AD directory with a new Azure subscription](https://msdn.microsoft.com/library/azure/jj573650.aspx#create_tenant3). ### Summary You provision and initially configure Office 365 Education as part of the initial configuration. With the subscription in place, automatic tenant join configured, automatic licensing established, and Azure AD Premium enabled (if required), you’re ready to select the method you will use to create user accounts in Office 365. @@ -340,7 +339,7 @@ Now that you have an Office 365 subscription, you need to determine how you will In this method, you have an on-premises AD DS domain. As shown in Figure 4, the Azure AD Connector tool automatically synchronizes AD DS with Azure AD. When you add or change any user accounts in AD DS, the Azure AD Connector tool automatically updates Azure AD. -**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/en-us/library/dn510997.aspx?f=255&MSPPError=-2147217396). +**Note**  Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](https://technet.microsoft.com/library/dn510997.aspx?f=255&MSPPError=-2147217396). ![fig 4](images/deploy-win-10-school-figure4.png) @@ -389,7 +388,7 @@ You can deploy the Azure AD Connect tool by using one of the following methods: *Figure 7. Azure AD Connect in Azure* -This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/en-us/library/dn635310.aspx). +This guide describes how to run Azure AD Connect on premises. For information about running Azure AD Connect in Azure, see [Deploy Office 365 Directory Synchronization (DirSync) in Microsoft Azure](https://technet.microsoft.com/library/dn635310.aspx). ### Deploy Azure AD Connect on premises @@ -397,10 +396,10 @@ In this synchronization model (illustrated in Figure 6), you run Azure AD Connec #### To deploy AD DS and Azure AD synchronization -1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/). +1. Configure your environment to meet the prerequisites for installing Azure AD Connect by performing the steps in [Prerequisites for Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-prerequisites/). 2. On the VM or physical device that will run Azure AD Connect, sign in with a domain administrator account. -3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). -4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/#configure-sync-features). +3. Install Azure AD Connect by performing the steps in [Install Azure AD Connect](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#install-azure-ad-connect). +4. Configure Azure AD Connect features based on your institution’s requirements by performing the steps in [Configure features](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/#configure-sync-features). Now that you have used on premises Azure AD Connect to deploy AD DS and Azure AD synchronization, you’re ready to verify that Azure AD Connect is synchronizing AD DS user and group accounts with Azure AD. @@ -440,8 +439,8 @@ Several methods are available to bulk-import user accounts into AD DS domains. T |Method | Description and reason to select this method | |-------| ---------------------------------------------| -|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/en-us/scriptcenter/dd939958.aspx).| +|Ldifde.exe |This command-line tool allows you to import and export objects (such as user accounts) from AD DS. Select this method if you aren’t comfortable with Microsoft Visual Basic Scripting Edition (VBScript), Windows PowerShell, or other scripting languages. For more information about using Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | This scripting language uses the Active Directory Services Interfaces (ADSI) Component Object Model interface to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with VBScript. For more information about using VBScript and ADSI, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx) and [ADSI Scriptomatic](https://technet.microsoft.com/scriptcenter/dd939958.aspx).| |Windows PowerShell| This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|

    ### Create a source file that contains the user and group accounts @@ -452,8 +451,8 @@ After you have selected your user and group account bulk import method, you’re | Method | Source file format | |--------| -------------------| -|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| -|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx).| +|Ldifde.exe|Ldifde.exe requires a specific format for the source file. Use Ldifde.exe to export existing user and group accounts so that you can see the format. For examples of the format that Ldifde.exe requires, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx).| +|VBScript | VBScript can use any .csv file format to create a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in comma-separated values (CSV) format, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx).| | Windows PowerShell| Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx).|

    ### Import the user accounts into AD DS @@ -464,8 +463,8 @@ With the bulk-import source file finished, you’re ready to import the user and For more information about how to import user accounts into AD DS by using: -- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/en-us/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). -- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/en-us/library/bb727091.aspx). +- Ldifde.exe, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx), [LDIFDE—Export/Import data from Active Directory—LDIFDE commands](https://support.microsoft.com/kb/555636), [Import or Export Directory Objects Using Ldifde](https://technet.microsoft.com/library/cc816781.aspx), and [LDIFDE](https://technet.microsoft.com/library/cc755456.aspx). +- VBScript, see [Step-by-Step Guide to Bulk Import and Export to Active Directory](https://technet.microsoft.com/library/bb727091.aspx). - Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). ### Summary @@ -524,7 +523,7 @@ You can assign Azure AD Premium licenses to the users who need the features this For more information about: -- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/). +- Azure AD editions, see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/). - How to assign user licenses for Azure AD Premium, see [How to assign EMS/Azure AD Premium licenses to user accounts](https://channel9.msdn.com/Series/Azure-Active-Directory-Videos-Demos/How-to-assign-Azure-AD-Premium-Licenses-to-user-accounts). ## Create and configure a Microsoft Store for Business portal @@ -705,14 +704,14 @@ The first step in preparation for Windows 10 deployment is to configure—that i 1. Import operating systems -Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). +Import the operating systems that you selected in the [Select operating systems](#select-the-operating-systems) section into the deployment share. For more information about how to import operating systems, see [Import an Operating System into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportanOperatingSystemintotheDeploymentWorkbench). 2. Import device drives Device drivers allow Windows 10 to know a device’s hardware resources and connected hardware accessories. Without the proper device drivers, certain features may be unavailable. For example, without the proper audio driver, a device cannot play sounds; without the proper camera driver, the device cannot take photos or use video chat.

    -Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). +Import device drivers for each device in your institution. For more information about how to import device drivers, see [Import Device Drivers into the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#ImportDeviceDriversintotheDeploymentWorkbench). @@ -727,8 +726,8 @@ If you have Intune, you can deploy Microsoft Store apps after you deploy Windows In addition, you must prepare your environment for sideloading (deploying) Microsoft Store apps. For more information about how to:

      -
    • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10).
      • -
    • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
      • +
    • Prepare your environment for sideloading, see [Sideload LOB apps in Windows 10](https://technet.microsoft.com/itpro/windows/deploy/sideload-apps-in-windows-10).
      • +
    • Create an MDT application, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench).
    @@ -740,13 +739,13 @@ In addition, you must prepare your environment for sideloading (deploying) Micro You need to create an MDT application for each Windows desktop app you want to deploy. You can obtain the Windows desktop apps from any source, but ensure that you have sufficient licenses for them.

    -To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219423.aspx?f=255&MSPPError=-2147217396).

    +To help reduce the effort needed to deploy Microsoft Office 2016 desktop apps, use the Office Deployment Tool, as described in [Deploy Click-to-Run for Office 365 products by using the Office Deployment Tool](https://technet.microsoft.com/library/jj219423.aspx?f=255&MSPPError=-2147217396).

    If you have Intune, you can deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section. This method provides granular deployment of Windows desktop apps, and you can use it for ongoing management of the apps. This is the preferred method for deploying and managing Windows desktop apps.

    **Note**  You can also deploy Windows desktop apps after you deploy Windows 10, as described in the [Deploy apps by using Intune](#deploy-apps-by-using-intune) section.

    -For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). +For more information about how to create an MDT application for Window desktop apps, see [Create a New Application in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewApplicationintheDeploymentWorkbench). @@ -762,7 +761,7 @@ For more information about how to create an MDT application for Window desktop a
  • Upgrade existing devices to Windows 10 Education 32-bit.
    • -Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). +Again, you will create the task sequences based on the operating systems that you imported in Step 1. For more information about how to create a task sequence, see [Create a New Task Sequence in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#CreateaNewTaskSequenceintheDeploymentWorkbench). @@ -772,7 +771,7 @@ Again, you will create the task sequences based on the operating systems that yo Updating a deployment share generates the MDT boot images you use to initiate the Windows 10 deployment process. You can configure the process to create 32 bit and 64 bit versions of the .iso and .wim files you can use to create bootable media or in Windows Deployment Services.

    -For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/en-us/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). +For more information about how to update a deployment share, see [Update a Deployment Share in the Deployment Workbench](https://technet.microsoft.com/library/dn759415.aspx#UpdateaDeploymentShareintheDeploymentWorkbench). @@ -787,9 +786,9 @@ You can use Windows Deployment Services in conjunction with MDT to automatically - [Windows Deployment Services overview](https://technet.microsoft.com/library/hh831764.aspx) - The Windows Deployment Services Help file, included in Windows Deployment Services - - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/en-us/library/jj648426.aspx) + - [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) -2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

    The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/en-us/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). +2. Add LTI boot images (Windows PE images) to Windows Deployment Services.

    The LTI boot images (.wim files) that you will add to Windows Deployment Services are in the MDT deployment share. Locate the .wim files in the Boot subfolder in the deployment share. For more information about how to perform this step, see [Add LTI Boot Images to Windows Deployment Services](https://technet.microsoft.com/library/dn759415.aspx#AddLTIBootImagestoWindowsDeploymentServices). ### Summary @@ -902,7 +901,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Use of Microsoft accounts You want faculty and students to use only Azure AD accounts for institution-owned devices. For these devices, do not use Microsoft accounts or associate a Microsoft account with the Azure AD accounts.

    **Note**  Personal devices typically use Microsoft accounts. Faculty and students can associate their Microsoft account with their Azure AD account on these devices.

    -**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/en-us/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

    +**Group Policy.** Configure the [Accounts: Block Microsoft accounts](https://technet.microsoft.com/library/jj966262.aspx?f=255&MSPPError=-2147217396) Group Policy setting to use the Users can’t add Microsoft accounts setting option.

    **Intune.** Enable or disable the camera by using the **Allow Microsoft account**, **Allow adding non-Microsoft accounts manually**, and **Allow settings synchronization for Microsoft accounts** policy settings under the **Accounts and Synchronization** section of a **Windows 10 General Configuration** policy. @@ -910,7 +909,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Restrict local administrator accounts on the devices Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

    -**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).

    +**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/library/cc732525.aspx).

    **Intune**. Not available. @@ -918,7 +917,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Restrict the local administrator accounts on the devices Ensure that only authorized users are local administrators on institution-owned devices. Typically, you don’t want students to be administrators on instruction-owned devices. Explicitly specify the users who will be local administrators on a group of devices.

    -**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/en-us/library/cc732525.aspx).

    +**Group Policy**. Create a **Local Group** Group Policy preference to limit the local administrators group membership. Select the **Delete all member users** and **Delete all member groups** check boxes to remove any existing members. For more information about how to configure Local Group preferences, see [Configure a Local Group Item](https://technet.microsoft.com/library/cc732525.aspx).

    **Intune**. Not available. @@ -926,7 +925,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Manage the built-in administrator account created during device deployment When you use MDT to deploy Windows 10, the MDT deployment process automatically creates a local Administrator account with the password you specified. As a security best practice, rename the built-in Administrator account and optionally disable it.

    -**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/en-us/library/jj852165.aspx).

    +**Group Policy**. Rename the built-in Administrator account by using the **Accounts: Rename administrator account** Group Policy setting. For more information about how to rename the built-in Administrator account, see [To rename the Administrator account using the Group Policy Management Console](https://technet.microsoft.com/library/cc747484.aspx). You will specify the new name for the Administrator account. You can disable the built-in Administrator account by using the **Accounts: Administrator account status** Group Policy setting. For more information about how to disable the built-in Administrator account, see [Accounts: Administrator account status](https://technet.microsoft.com/library/jj852165.aspx).

    **Intune**. Not available. @@ -934,7 +933,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Control Microsoft Store access You can control access to Microsoft Store and whether existing Microsoft Store apps receive updates. You can only disable the Microsoft Store app in Windows 10 Education and Windows 10 Enterprise.

    -**Group Policy**. You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/en-us/library/hh832040.aspx#BKMK_UseGP).

    +**Group Policy**. You can disable the Microsoft Store app by using the **Turn off the Store Application** Group Policy setting. You can prevent Microsoft Store apps from receiving updates by using the **Turn off Automatic Download and Install of updates** Group Policy setting. For more information about configuring these settings, see [Can I use Group Policy to control the Microsoft Store in my enterprise environment?](https://technet.microsoft.com/library/hh832040.aspx#BKMK_UseGP).

    **Intune**. You can enable or disable the camera by using the **Allow application store** policy setting in the **Apps** section of a **Windows 10 General Configuration** policy. @@ -958,7 +957,7 @@ Microsoft has several recommended settings for educational institutions. Table 1 Use of audio recording Audio recording (by using the Sound Recorder app) can be a source of disclosure or privacy issues in an education environment. Depending on your institution’s policies, you may want to disable the Sound Recorder app on your devices.

    -**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/en-us/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/en-us/library/ee791899.aspx).

    +**Group Policy**. You can disable the Sound Recorder app by using the **Do not allow Sound Recorder to run** Group Policy setting. You can disable other audio recording apps by using AppLocker policies. Create AppLocker policies by using the information in [Editing an AppLocker Policy](https://technet.microsoft.com/library/ee791894(v=ws.10).aspx) and [Create Your AppLocker Policies](https://technet.microsoft.com/library/ee791899.aspx).

    **Intune**. You can enable or disable the camera by using the **Allow voice recording** policy setting in the **Features** section of a **Windows 10 General Configuration** policy. @@ -994,32 +993,32 @@ Microsoft has several recommended settings for educational institutions. Table 1 Now, you’re ready to configure settings by using Group Policy. The steps in this section assume that you have an AD DS infrastructure. You will configure the Group Policy settings you select in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. -For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/en-us/library/cc754948.aspx). +For more information about Group Policy, see [Group Policy Planning and Deployment Guide](https://technet.microsoft.com/library/cc754948.aspx). #### To configure Group Policy settings -1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/en-us/library/cc738830.aspx). -2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/en-us/library/cc739902.aspx). -3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/en-us/library/cc738954(v=ws.10).aspx). +1. Create a Group Policy object (GPO) that will contain the Group Policy settings by completing the steps in [Create a new Group Policy object](https://technet.microsoft.com/library/cc738830.aspx). +2. Configure the settings in the GPO by completing the steps in [Edit a Group Policy object](https://technet.microsoft.com/library/cc739902.aspx). +3. Link the GPO to the appropriate AD DS site, domain, or organizational unit by completing the steps in [Link a Group Policy object to a site, domain, or organizational unit](https://technet.microsoft.com/library/cc738954(v=ws.10).aspx). ### Configure settings by using Intune Now, you’re ready to configure settings by using Intune. The steps in this section assume that you have an Office 365 subscription. You will configure the Intune settings that you selected in the [Select Microsoft-recommended settings](#select-microsoft-recommended-settings) section. -For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/en-us/intune/). +For more information about Intune, see [Documentation for Microsoft Intune](https://docs.microsoft.com/intune/). #### To configure Intune settings -1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/en-us/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). -2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646962.aspx). -3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/en-us/library/dn646984.aspx). -4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/en-us/library/dn646959.aspx). +1. Add Intune to your Office 365 subscription by completing the steps in [Get started with a paid subscription to Microsoft Intune](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune). +2. Enroll devices with Intune by completing the steps in [Get ready to enroll devices in Microsoft Intune](https://technet.microsoft.com/library/dn646962.aspx). +3. Configure the settings in Intune Windows 10 policies by completing the steps in [Manage settings and features on your devices with Microsoft Intune policies](https://technet.microsoft.com/library/dn646984.aspx). +4. Manage Windows 10 devices by completing the steps in [Manage Windows PCs with Microsoft Intune](https://technet.microsoft.com/library/dn646959.aspx). ### Deploy apps by using Intune You can use Intune to deploy Microsoft Store and Windows desktop apps. Intune provides improved control over which users receive specific apps. In addition, Intune allows you deploy apps to companion devices (such as Windows 10 Mobile, iOS, or Android devices) Finally, Intune helps you manage app security and features, such as mobile application management policies that let you manage apps on devices that are not enrolled in Intune or are managed by another solution. -For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/en-us/intune/). +For more information about how to configure Intune to manage your apps, see [Deploy and configure apps with Microsoft Intune](https://docs.microsoft.com/intune/). ### Summary @@ -1046,14 +1045,14 @@ Prior to deployment of Windows 10, ensure that you complete the tasks listed in Use the Deployment Wizard to deploy Windows 10. The LTI deployment process is almost fully automated: You provide only minimal information to the Deployment Wizard at the beginning of the process. After the wizard collects the necessary information, the remainder of the process is fully automated. -**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/en-us/library/dn781089.aspx). +**Note**  To fully automate the LTI deployment process, complete the steps in the “Fully Automated LTI Deployment Scenario” section in the [Microsoft Deployment Toolkit Samples Guide](https://technet.microsoft.com/library/dn781089.aspx). In most instances, deployments occur without incident. Only in rare occasions do deployments experience problems. #### To deploy Windows 10 1. **Initiate the LTI deployment process**. Initiate the LTI deployment process booting over the network (PXE boot) or from local media. You selected the method for initiating the LTI deployment process in the [Select a method to initiate deployment](#select-a-method-to-initiate-deployment) section earlier in this guide. -2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/en-us/library/dn759415.aspx#Running%20the%20Deployment%20Wizard). +2. **Complete the Deployment Wizard**. For more information about how to complete the Deployment Wizard, see the “Running the Deployment Wizard” topic in [Using the Microsoft Deployment Toolkit](https://technet.microsoft.com/library/dn759415.aspx#Running%20the%20Deployment%20Wizard). ### Set up printers @@ -1124,9 +1123,9 @@ Table 13 lists the school and individual classroom maintenance tasks, the resour Verify that Windows Update is active and current with operating system and software updates.

    For more information about completing this task when you have:

      -
    • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
      • +
    • Intune, see [Keep Windows PCs up to date with software updates in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/keep-windows-pcs-up-to-date-with-software-updates-in-microsoft-intune).
    • Group Policy, see [Windows Update for Business](https://technet.microsoft.com/itpro/windows/plan/windows-update-for-business).
      • -
    • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/en-us/library/bb332157.aspx?f=255&MSPPError=-2147217396).
      • +
    • Windows Server Update Services (WSUS), see [Windows Server Update Services](https://msdn.microsoft.com/library/bb332157.aspx?f=255&MSPPError=-2147217396).
    • Neither Intune, Group Policy, or WSUS, see [Update Windows 10](https://windows.microsoft.com/en-id/windows-10/update-windows-10)
    diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 17435853f2..82c72e22f5 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -8,8 +8,7 @@ ms.localizationpriority: medium author: CelesteDG ms.author: celested ms.date: 10/13/2017 -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 --- # Deployment recommendations for school IT administrators diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index d90e41f458..af93be32ee 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -2,7 +2,7 @@ title: Education scenarios Microsoft Store for Education description: Learn how IT admins and teachers can use Microsoft Store for Education to acquire and manage apps in schools. keywords: school, Microsoft Store for Education, Microsoft education store -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ searchScope: - Store author: trudyha ms.author: trudyha -ms.date: 3/30/2018 -ms.technology: Windows +ms.date: 03/30/2018 --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index de525d8e81..f58a24b82c 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -3,13 +3,12 @@ title: Enable S mode on Surface Go devices for Education description: Steps that an education customer can perform to enable S mode on Surface Go devices keywords: Surface Go for Education, S mode ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: kaushika-msft -ms.author: +ms.author: kaushik ms.date: 07/30/2018 --- @@ -48,14 +47,14 @@ process](https://docs.microsoft.com/windows/deployment/windows-10-deployment-sce Copy ``` - - + + 1 @@ -94,14 +93,14 @@ Education customers who wish to avoid the additional overhead associated with Wi Copy ``` - - + + 1 @@ -129,17 +128,17 @@ Upon reboot, you should find your Surface Go device now is now in S mode. ## Additional Info -[Windows 10 deployment scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-10-deployment-scenarios) +[Windows 10 deployment scenarios](https://docs.microsoft.com/windows/deployment/windows-10-deployment-scenarios) -[Windows 10 deployment scenarios and tools](https://docs.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools) +[Windows 10 deployment scenarios and tools](https://docs.microsoft.com/windows/deployment/windows-deployment-scenarios-and-tools) -[Download and install the Windows ADK](https://docs.microsoft.com/en-us/windows-hardware/get-started/adk-install) +[Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) -[Windows ADK for Windows 10 scenarios for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/windows-adk-scenarios-for-it-pros) +[Windows ADK for Windows 10 scenarios for IT Pros](https://docs.microsoft.com/windows/deployment/windows-adk-scenarios-for-it-pros) -[Modify a Windows Image Using DISM](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) +[Modify a Windows Image Using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism) -[Service a Windows Image Using DISM](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism) +[Service a Windows Image Using DISM](https://docs.microsoft.com/windows-hardware/manufacture/desktop/service-a-windows-image-using-dism) -[DISM Image Management Command-Line Options](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) +[DISM Image Management Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-image-management-command-line-options-s14) diff --git a/education/windows/get-minecraft-device-promotion.md b/education/windows/get-minecraft-device-promotion.md index 6fb8b22725..d0b001b4b7 100644 --- a/education/windows/get-minecraft-device-promotion.md +++ b/education/windows/get-minecraft-device-promotion.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition with your Windows 10 device promotion description: Windows 10 device promotion for Minecraft Education Edition licenses keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 06/05/2018 -ms.technology: Windows --- # Get Minecraft: Education Edition with Windows 10 device promotion diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 11aeea97ed..aadf84aabc 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -2,7 +2,7 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. keywords: school, Minecraft, education edition -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -11,7 +11,6 @@ searchScope: - Store ms.author: trudyha ms.date: 07/27/2017 -ms.technology: Windows ms.topic: conceptual --- @@ -22,7 +21,7 @@ ms.topic: conceptual - Windows 10 -[Minecraft: Education Edition](http://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. +[Minecraft: Education Edition](https://education.minecraft.net/) is built for learning. Watch this video to learn more about Minecraft. diff --git a/education/windows/images/1810_Name_Your_Package_SUSPC.png b/education/windows/images/1810_Name_Your_Package_SUSPC.png new file mode 100644 index 0000000000..69b81c91e4 Binary files /dev/null and b/education/windows/images/1810_Name_Your_Package_SUSPC.png differ diff --git a/education/windows/images/1810_SUSPC_Insert_USB.png b/education/windows/images/1810_SUSPC_Insert_USB.png new file mode 100644 index 0000000000..c3fdd47011 Binary files /dev/null and b/education/windows/images/1810_SUSPC_Insert_USB.png differ diff --git a/education/windows/images/1810_SUSPC_Package_ready.png b/education/windows/images/1810_SUSPC_Package_ready.png new file mode 100644 index 0000000000..b296fb3f84 Binary files /dev/null and b/education/windows/images/1810_SUSPC_Package_ready.png differ diff --git a/education/windows/images/1810_SUSPC_Product_key.png b/education/windows/images/1810_SUSPC_Product_key.png new file mode 100644 index 0000000000..3619edb5bf Binary files /dev/null and b/education/windows/images/1810_SUSPC_Product_key.png differ diff --git a/education/windows/images/1810_SUSPC_Take_Test.png b/education/windows/images/1810_SUSPC_Take_Test.png new file mode 100644 index 0000000000..d7920a492f Binary files /dev/null and b/education/windows/images/1810_SUSPC_Take_Test.png differ diff --git a/education/windows/images/1810_SUSPC_USB.png b/education/windows/images/1810_SUSPC_USB.png new file mode 100644 index 0000000000..9e6be13a46 Binary files /dev/null and b/education/windows/images/1810_SUSPC_USB.png differ diff --git a/education/windows/images/1810_SUSPC_add_apps.png b/education/windows/images/1810_SUSPC_add_apps.png new file mode 100644 index 0000000000..d7a296722f Binary files /dev/null and b/education/windows/images/1810_SUSPC_add_apps.png differ diff --git a/education/windows/images/1810_SUSPC_app_error.png b/education/windows/images/1810_SUSPC_app_error.png new file mode 100644 index 0000000000..a2d3a35e34 Binary files /dev/null and b/education/windows/images/1810_SUSPC_app_error.png differ diff --git a/education/windows/images/1810_SUSPC_available_settings.png b/education/windows/images/1810_SUSPC_available_settings.png new file mode 100644 index 0000000000..a208aa1fa8 Binary files /dev/null and b/education/windows/images/1810_SUSPC_available_settings.png differ diff --git a/education/windows/images/1810_SUSPC_personalization.png b/education/windows/images/1810_SUSPC_personalization.png new file mode 100644 index 0000000000..bbcbf878f0 Binary files /dev/null and b/education/windows/images/1810_SUSPC_personalization.png differ diff --git a/education/windows/images/1810_SUSPC_select_Wifi.png b/education/windows/images/1810_SUSPC_select_Wifi.png new file mode 100644 index 0000000000..f0f54c55c9 Binary files /dev/null and b/education/windows/images/1810_SUSPC_select_Wifi.png differ diff --git a/education/windows/images/1810_SUSPC_summary.png b/education/windows/images/1810_SUSPC_summary.png new file mode 100644 index 0000000000..de83332463 Binary files /dev/null and b/education/windows/images/1810_SUSPC_summary.png differ diff --git a/education/windows/images/1810_Sign_In_SUSPC.png b/education/windows/images/1810_Sign_In_SUSPC.png new file mode 100644 index 0000000000..b4ac241f72 Binary files /dev/null and b/education/windows/images/1810_Sign_In_SUSPC.png differ diff --git a/education/windows/images/1810_choose_account_SUSPC.png b/education/windows/images/1810_choose_account_SUSPC.png new file mode 100644 index 0000000000..c702fc87ea Binary files /dev/null and b/education/windows/images/1810_choose_account_SUSPC.png differ diff --git a/education/windows/images/1810_name-devices_SUSPC.png b/education/windows/images/1810_name-devices_SUSPC.png new file mode 100644 index 0000000000..6cfe014572 Binary files /dev/null and b/education/windows/images/1810_name-devices_SUSPC.png differ diff --git a/education/windows/images/1810_suspc_settings.png b/education/windows/images/1810_suspc_settings.png new file mode 100644 index 0000000000..c42bf2337e Binary files /dev/null and b/education/windows/images/1810_suspc_settings.png differ diff --git a/education/windows/images/1810_suspc_timezone.png b/education/windows/images/1810_suspc_timezone.png new file mode 100644 index 0000000000..1a4dfb7aa1 Binary files /dev/null and b/education/windows/images/1810_suspc_timezone.png differ diff --git a/education/windows/index.md b/education/windows/index.md index 6e21549be3..d30a753c88 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -3,7 +3,6 @@ title: Windows 10 for Education (Windows 10) description: Learn how to use Windows 10 in schools. keywords: Windows 10, education ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: edu @@ -60,5 +59,5 @@ Follow these links to find step-by-step guidance on how to deploy Windows 8.1 in - [Windows 10 and Windows 10 Mobile](https://technet.microsoft.com/itpro/windows/index) diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index 1dca2c3783..363cc0b93e 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -5,11 +5,10 @@ keywords: Windows 10 S switch, S mode Switch, switch in S mode, Switch S mode, W ms.mktglfcycl: deploy ms.localizationpriority: medium ms.prod: w10 -ms.technology: Windows ms.sitesec: library ms.pagetype: edu -ms.date: 04/30/2018 -author: Mikeblodge +ms.date: 12/03/2018 +author: jaimeo --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode @@ -54,7 +53,7 @@ Tenant-wide Windows 10 Pro in S mode > Pro Education in S mode
    Tenant-wide Windows 10 Pro > Pro Education > [!IMPORTANT] -> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. +> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to roll back this kind of switch is through a [bare metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset. ### Devices running Windows 10, version 1709 @@ -66,7 +65,7 @@ Tenant-wide Windows 10 Pro > Pro Education > There is currently no "bulk-switch" option for devices running Windows 10, version 1803. ## Related Topics -[FAQs](https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq)
    +[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
    [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
    [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
    [Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) \ No newline at end of file diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index d2daacd44e..2def962415 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -2,7 +2,7 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. keywords: Minecraft, Education Edition, IT admins, acquire -ms.prod: W10 +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -10,8 +10,7 @@ author: trudyha searchScope: - Store ms.author: trudyha -ms.date: 1/5/2018 -ms.technology: Windows +ms.date: 01/05/2018 ms.topic: conceptual --- @@ -21,7 +20,7 @@ ms.topic: conceptual - Windows 10 -When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. +When you sign up for a [Minecraft: Education Edition](https://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](https://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] >If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). @@ -34,7 +33,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions ### Minecraft: Education Edition - direct purchase -1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**. +1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**. diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 16b59b9799..4a0081092e 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -3,7 +3,6 @@ title: Azure AD Join with Setup School PCs app description: Describes how Azure AD Join is configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 16b671865d..e362f372b9 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -3,20 +3,19 @@ title: What's in Set up School PCs provisioning package description: Lists the provisioning package settings that are configured in the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu ms.localizationpriority: medium author: lenewsad ms.author: lanewsad -ms.date: 07/13/2018 +ms.date: 10/17/2018 --- # What's in my provisioning package? The Set up School PCs app builds a specialized provisioning package with school-optimized settings. -A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article. +A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [SharedPC configuration service provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/mt723294%28v=vs.85%29.aspx) article. ## Shared PC Mode policies This table outlines the policies applied to devices in shared PC mode. If you [selected to optimize a device for use by a single student](set-up-school-pcs-shared-pc-mode.md#optimize-device-for-use-by-a-single-student), the table notes the differences. Specifically, you'll see differences in the following policies: @@ -26,12 +25,12 @@ This table outlines the policies applied to devices in shared PC mode. If you [s In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting. -For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). +For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). |Policy name|Default value|Description| |---------|---------|---------| |Enable Shared PC mode|True| Configures the PCs so they are in shared PC mode.| -|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/en-us/education/windows/configure-windows-for-education). | +|Set education policies | True | School-optimized settings are applied to the PCs so that they are appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](https://docs.microsoft.com/education/windows/configure-windows-for-education). | |Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | |Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they have not signed in within the number of days specified by inactive threshold policy. | |Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | @@ -50,7 +49,7 @@ For a more detailed look at the policies, see the Windows article [Set up shared ## MDM and local group policies This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. -For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. +For a more detailed look of each policy listed, see [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. |Policy name |Default value |Description | @@ -107,6 +106,22 @@ Set up School PCs uses the Universal app install policy to install school-releva * OneNote * Sway +## Provisioning time estimates +The time it takes to install a package on a device depends on the: + +* Strength of network connection +* Number of policies and apps within the package +* Additional configurations made to the device + +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision. + +|Configurations |Connection type |Estimated provisioning time | +|---------|---------|---------| +|Default settings only | Wi-Fi | 3 to 5 minutes | +|Default settings + apps | Wi-Fi | 10 to 15 minutes | +|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes | +|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | + ## Next steps Learn more about setting up devices with the Set up School PCs app. * [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) diff --git a/education/windows/set-up-school-pcs-shared-pc-mode.md b/education/windows/set-up-school-pcs-shared-pc-mode.md index acebeccc44..3b3a9148a0 100644 --- a/education/windows/set-up-school-pcs-shared-pc-mode.md +++ b/education/windows/set-up-school-pcs-shared-pc-mode.md @@ -3,7 +3,6 @@ title: Shared PC mode for school devices description: Describes how shared PC mode is set for devices set up with the Set up School PCs app. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -23,7 +22,7 @@ Shared PC mode can be applied on devices running: * Windows 10 Education * Windows 10 Enterprise -To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/en-us/windows/configuration/set-up-shared-or-guest-pc). +To learn more about how to set up a device in shared PC mode, see [Set up a shared or guest PC with Windows 10](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc). ## Windows Updates Shared PC mode configures power and Windows Update settings so that computers update regularly. Computers that are set up through the Set up School PCs app are configured to: diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index b23242412b..957af5e711 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -3,7 +3,6 @@ title: Set up School PCs app technical reference overview description: Describes the purpose of the Set up School PCs app for Windows 10 devices. keywords: shared cart, shared PC, school, set up school pcs ms.prod: w10 -ms.technology: Windows ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: edu @@ -54,7 +53,7 @@ The following table describes the Set up School PCs app features and lists each | Students sign in with their IDs to access all Office 365 web apps or installed Office apps. | | | | | | **Take a Test app** | | | | X | | Administer quizzes and assessments through test providers such as Smarter Balanced. | | | | | -| [Settings roaming](https://azure.microsoft.com/en-us/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | +| [Settings roaming](https://azure.microsoft.com/documentation/articles/active-directory-windows-enterprise-state-roaming-overview/) **via Azure AD** | | | | X | | Synchronize student and application data across devices for a personalized experience. | | | | | > [!NOTE] diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md new file mode 100644 index 0000000000..b1f56ae163 --- /dev/null +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -0,0 +1,56 @@ +--- +title: What's new in the Windows Set up School PCs app +description: Find out about app updates and new features in Set up School PCs. +keywords: shared cart, shared PC, school, set up school pcs +ms.prod: w10 +ms.mktglfcycl: plan +ms.sitesec: library +ms.pagetype: edu +ms.localizationpriority: medium +author: lenewsad +ms.author: lanewsad +ms.date: 10/23/2018 +--- + +# What's new in Set up School PCs +Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, and see updated screenshots. You'll also find information about past releases. + +## Week of October 15, 2018 + +The Set up School PCs app was updated with the following changes: + +### Three new setup screens added to the app +The following screens and functionality were added to the setup workflow. Select any screenname to view the relevant steps and screenshots in the Set Up School PCs docs. + +* [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. The name is generated by Azure Active Directory and appears as the filename and as the token name in Azure AD in the Azure portal. + +* [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key. + +* [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices. + +### Azure AD token expiration extended to 180 days +Packages now expire 180 days from the date you create them. + +### Updated apps with more helpful, descriptive text +We've updated the app's **Skip** buttons to clarify the intent of each action. You'll also see an **Exit** button on the last page of the app. + +### Option to keep existing device names +The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the orginal or existing names of your student devices. + +### Skype and Messaging apps to be removed from student PCs by default +We've added the Skype and Messaging app to a selection of apps that are, by default, removed from student devices. + + +## Next steps +Learn more about setting up devices with the Set up School PCs app. +* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) +* [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) +* [Set up School PCs technical reference](set-up-school-pcs-technical.md) +* [Set up Windows 10 devices for education](set-up-windows-10.md) + +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). + + + + + diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 35a9fc88f6..a14aa4c69b 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -2,8 +2,7 @@ title: Set up student PCs to join domain description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: school, student PC setup, Windows Configuration Designer -ms.prod: W10 -ms.technology: Windows +ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.localizationpriority: medium @@ -23,7 +22,7 @@ If your school uses Active Directory, use the Windows Configuration Designer too Follow the instructions in [Install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd). ## Create the provisioning package -Follow the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these steps to further customize the provisioning package for use in a school that will join a student PC to a domain: +Follow the steps in [Provision PCs with common settings for initial deployment (desktop wizard)](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-for-initial-deployment). However, make a note of these steps to further customize the provisioning package for use in a school that will join a student PC to a domain: 1. In the **Account Management** step: @@ -56,7 +55,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( 5. To configure other settings to make Windows education ready, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md) and follow the guidance on what settings you can set using Windows Configuration Designer. -6. Follow the steps to [build a package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-create-package#build-package). +6. Follow the steps to [build a package](https://technet.microsoft.com/itpro/windows/configure/provisioning-create-package#build-package). - You will see the file path for your provisioning package. By default, this is set to %windir%\Users\*your_username*\Windows Imaging and Configuration Designer (WICD)\*Project name*). - Copy the provisioning package to a USB drive. @@ -65,7 +64,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment ( ## Apply package -Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/en-us/itpro/windows/configure/provisioning-apply-package) to apply the package that you created. +Follow the steps in [Apply a provisioning package](https://technet.microsoft.com/itpro/windows/configure/provisioning-apply-package) to apply the package that you created. diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 225541c3e4..77b6702db0 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -3,7 +3,6 @@ title: Provision student PCs with apps description: Learn how to use Configuration Designer to easily provision student devices to join Active Directory. keywords: shared cart, shared PC, school, provision PCs with apps, Windows Configuration Designer ms.prod: w10 -ms.technology: Windows ms.pagetype: edu ms.mktglfcycl: plan ms.sitesec: library @@ -19,13 +18,13 @@ ms.date: 10/13/2017 - Windows 10 -To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps). +To create and apply a provisioning package that contains apps to a device running all desktop editions of Windows 10 except Windows 10 Home, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps). Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more. You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices. -- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps). -- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](https://technet.microsoft.com/en-us/itpro/windows/configure/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package. +- If you want to [provision a school PC to join a domain](set-up-students-pcs-to-join-domain.md) and add apps in the same provisioning package, follow the steps in [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps). +- If you want to provision a school PC to join Azure AD, set up the PC using the steps in [Use Set up School PCs App](use-set-up-school-pcs-app.md). Set up School PCs now lets you add recommended apps from the Store so you can add these apps while you're creating your package through Set up School PCs. You can also follow the steps in [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps) if you want to add apps to student PCs after initial setup with the Set up School PCs package. -Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps & software** for app distribution options. +Microsoft Store adds the app to **Products and services**. Click **Manage**, **Apps & software** for app distribution options. **To make an app in Apps & software available in your private store** 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then choose **Apps & software**. +2. Click **Manage**, and then choose **Products and services**. @@ -52,6 +51,9 @@ The value under **Private store** for the app will change to pending. It will ta >[!Note] > If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be avilable in **Products & services** before adding it to your private store. For more information, see [Working with line of business apps](working-with-line-of-business-apps.md). +## Private store availability +You can use security groups to scope which users can install an app from your private store. For more information, see [Private store availability](app-inventory-management-microsoft-store-for-business.md#private-store-availability). + Employees can claim apps that admins added to the private store by doing the following. **To claim an app from the private store** @@ -60,16 +62,8 @@ Employees can claim apps that admins added to the private store by doing the fol 2. Click the **private store** tab. 3. Click the app you want to install, and then click **Install**. + ## Related topics - [Manage access to private store](manage-access-to-private-store.md) - [Manage private store settings](manage-private-store-settings.md) -- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store) - -  - -  - - - - - +- [Configure access to Microsoft Store](/windows/configuration/stop-employees-from-using-microsoft-store) \ No newline at end of file diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index ed8eff5bb0..cab9bdc670 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -42,7 +42,7 @@ MDM tool requirements: ## Distribute offline-licensed apps -If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](https://docs.microsoft.com/en-us/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). +If your vendor doesn’t support the ability to synchronize applications from the management tool services, or can't connect to the management tool services, your vendor may support the ability to deploy offline licensed applications by downloading the application and license from the store and then deploying the app through your MDM. For more information on online and offline licensing with Store for Business, see [Apps in the Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/apps-in-microsoft-store-for-business#licensing-model). This diagram shows how you can use a management tool to distribute offline-licensed app to employees in your organization. Once synchronized from Store for Business, management tools can use the Windows Management framework to distribute applications to devices. diff --git a/store-for-business/images/msfb-find-partner.png b/store-for-business/images/msfb-find-partner.png new file mode 100644 index 0000000000..23759cfb5f Binary files /dev/null and b/store-for-business/images/msfb-find-partner.png differ diff --git a/store-for-business/images/msfb-provider-list.png b/store-for-business/images/msfb-provider-list.png new file mode 100644 index 0000000000..2fbafca80f Binary files /dev/null and b/store-for-business/images/msfb-provider-list.png differ diff --git a/store-for-business/images/msft-accept-partner.png b/store-for-business/images/msft-accept-partner.png new file mode 100644 index 0000000000..6b04d822a4 Binary files /dev/null and b/store-for-business/images/msft-accept-partner.png differ diff --git a/store-for-business/images/security-groups-icon.png b/store-for-business/images/security-groups-icon.png new file mode 100644 index 0000000000..328a60837d Binary files /dev/null and b/store-for-business/images/security-groups-icon.png differ diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 890829a7d5..618205cdd5 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -47,7 +47,7 @@ While not required, you can use a management tool to distribute and manage apps. ## Proxy configuration -If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs: +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: - login.live.com - login.windows.net @@ -56,6 +56,7 @@ If your organization restricts computers on your network from connecting to the - windowsphone.com - \*.wns.windows.com - \*.microsoft.com +- \*.s-microsoft.com - www.msftncsi.com (prior to Windows 10, version 1607) - www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index 67c65aeebb..2bcdcd39b9 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -8,17 +8,23 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 08/29/2018 +ms.date: 10/31/2018 --- # Microsoft Store for Business and Education release history -Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. +Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) +## September 2018 +- **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](https://https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) + +## August 2018 +- **App requests** - People in your organization can make requests for apps that they need. hey can also request them on behalf of other people. Admins review requests and can decide on purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests) + ## July 2018 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## June 2018 - **Change order within private store collection** - Continuing our focus on improvements for private store, now you can customize the order of products in each private store collection. @@ -33,7 +39,7 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Office 365 subscription management** - We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. ## March 2018 -- **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) +- **Performance improvements in private store** - We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections) - **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. @@ -47,20 +53,20 @@ Looking for info on the latest release? Check out [What's new in Microsoft Store - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. ## December 2017 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## November 2017 - **Export list of Minecraft: Education Edition users** - Admins and teachers can now export a list of users who have Minecraft: Education Edition licenses assigned to them. Click **Export users**, and Store for Education creates an Excel spreadsheet for you, and saves it as a .csv file. ## October 2017 -- Bug fixes and permformance improvements. +- Bug fixes and performance improvements. ## September 2017 - **Manage Windows device deployment with Windows Autopilot Deployment** - In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device. [Get more info](add-profile-to-devices.md) -- **Request an app** - People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) +- **Request an app** - People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#request-apps) - **My organization** - **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account. -- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. +- **Manage prepaid Office 365 subscriptions** - Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redeeming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. - **Manage Office 365 subscriptions acquired by partners** - Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. - **Edge extensions in Microsoft Store** - Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. -- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. \ No newline at end of file +- **Search results in Microsoft Store for Business** - Search results now have sub categories to help you refine search results. diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index 9e45080286..04db2ea942 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -30,7 +30,7 @@ The Microsoft Store for Business and Education has a group of settings that admi | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** | | Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** | | Allow users to shop | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** | -| Make everyone a Basic Purchaser | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/en-us/education/windows/education-scenarios-store-for-business#basic-purchaser-role).
    **Make everyone a Basic Purchaser** is only available in Microsoft Store for Education. | **Settings - Shop** | +| Make everyone a Basic Purchaser | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role).
    **Make everyone a Basic Purchaser** is only available in Microsoft Store for Education. | **Settings - Shop** | | App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** | | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** | | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** | diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md index 7f99708123..f4429a667f 100644 --- a/store-for-business/sfb-change-history.md +++ b/store-for-business/sfb-change-history.md @@ -22,7 +22,7 @@ ms.localizationpriority: medium ## April 2018 | New or changed topic | Description | | --- | --- | -| [Configure access to Microsoft Store](https://docs.microsoft.com/en-us/windows/configuration/stop-employees-from-using-microsoft-store#a-href-idblock-store-group-policyablock-microsoft-store-using-group-policy) | Update on app updates when Microsoft Store is blocked. | +| [Configure access to Microsoft Store](https://docs.microsoft.com/windows/configuration/stop-employees-from-using-microsoft-store#a-href-idblock-store-group-policyablock-microsoft-store-using-group-policy) | Update on app updates when Microsoft Store is blocked. | | [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update | ## March 2018 @@ -66,21 +66,21 @@ ms.localizationpriority: medium | New or changed topic | Description | | --- | --- | | [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New | -| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. | +| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. | ## June 2017 | New or changed topic | Description | | -------------------- | ----------- | | [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. | | [Get Minecraft: Education Edition with Windows 10 device promotion](https://docs.microsoft.com/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. | -| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. | +| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. | ## July 2017   | New or changed topic | Description | | -------------------- | ----------- | | [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. | -| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. | +| [Microsoft Store for Business and Education overview - supported markets](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview#supported-markets) | Updates for added market support. |   diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index efce0d7fd7..45d4c68486 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -8,7 +8,7 @@ ms.pagetype: store author: TrudyHa ms.author: TrudyHa ms.topic: conceptual -ms.date: 08/29/2018 +ms.date: 10/31/2018 --- # What's new in Microsoft Store for Business and Education @@ -17,10 +17,10 @@ Microsoft Store for Business and Education regularly releases new and improved f ## Latest updates for Store for Business and Education -**August 2018** +**October 2018** | | | |-----------------------|---------------------------------| -| ![Private store performance icon](images/perf-improvement-icon.png) |**App requests**

    People in your organization can make requests for apps that they need. They can also request them on behalf of other people. Admins review requests and can decide on purchases.

    [Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#allow-app-requests)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | +| ![Security groups](images/security-groups-icon.png) |**Use security groups with Private store apps**

    On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.

    [Get more info](https://docs.microsoft.com/microsoft-store/app-inventory-management-microsoft-store-for-business#private-store-availability)

    **Applies to**:
    Microsoft Store for Business
    Microsoft Store for Education | ## Previous releases and updates +[September 2018](release-history-microsoft-store-business-education.md#september-2018) +- Performance improvements + +[August 2018](release-history-microsoft-store-business-education.md#august-2018) +- App requests + [July 2018](release-history-microsoft-store-business-education.md#july-2018) - Bug fixes and performance improvements @@ -63,7 +69,7 @@ We’ve been working on bug fixes and performance improvements to provide you a - Microsoft Product and Services Agreement customers can invite people to take roles [December 2017](release-history-microsoft-store-business-education.md#december-2017) -- Bug fixes and permformance improvements +- Bug fixes and performance improvements [November 2017](release-history-microsoft-store-business-education.md#november-2017) - Export list of Minecraft: Education Edition users diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md new file mode 100644 index 0000000000..0f30df6697 --- /dev/null +++ b/store-for-business/work-with-partner-microsoft-store-business.md @@ -0,0 +1,81 @@ +--- +title: Work with solution providers in Microsoft Store for Business and Education (Windows 10) +description: You can work with Microsoft-certified solution providers to purchase and manage products and services for your organization or school. +keywords: partner, solution provider +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.author: TrudyHa +ms.topic: conceptual +ms.date: 10/12/2018 +--- + +# Working with solution providers in Microsoft Store for Business + +You can work with Microsoft-certified solution providers to purchase and manage products and services for your organization or school. There's a few steps involved in getting the things set up. + +The process goes like this: +- Admins find and contact a solution provider using **Find a solution provider** in Microsoft Store for Business. +- Solution providers send a request from Partner center to customers to become their solution provider. +- Customers accept the invitation in Microsoft Store for Business and start working with the solution provider. +- Customers can manage settings for the relationship with Partner in Microsoft Store for Business. + +## What can a solution provider do for my organization or school? + +There are several ways that a solution provider can work with you. Solution providers will choose one of these when they send their request to work as a partner with you. + +| Solution provider function | Description | +| ------ | ------------------- | +| Reseller | Solution providers sell Microsoft products to your organization or school. | +| Delegated administrator | Solution provider manages products and services for your organization or school. In Azure Active Directory (AD), the Partner will be a Global Administrator for tenant. This allows them to manage services like creating user accounts, assigning and managing licenses, and password resets. | +| Reseller & delegated administrator | Solution providers that sell and manage Microsoft products and services to your organization or school. | +| Partner | You can give your solution provider a user account in your tenant, and they work on your behalf with other Microsoft services. | +| Microsoft Products & Services Agreement (MPSA) partner | If you've worked with multiple solution providers through the MPSA program, you can allow partners to see purchases made by each other. | +| OEM PC partner | Solution providers can upload device IDs for PCs that you're [managing with Autopilot](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). | +| Line-of-business (LOB) partner | Solution providers can develop, submit, and manage LOB apps specific for your organization or school. | + +## Find a solution provider + +You can find partner in Microsoft Store for Business and Education. + +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/). +2. Select **Find a solution provider**. + + ![Image shows Find a solution provider option in Microsoft Store for Business.](images/msfb-find-partner.png) + +3. Refine the list, or search for a solution provider. + + ![Image shows Find a solution provider option in Microsoft Store for Business.](images/msfb-provider-list.png) + +4. When you find a solution provider you're interested in working with, click **Contact**. +5. Complete and send the form. + +The solution provider will get in touch with you. You'll have a chance to learn more about them. If you decide to work with the solution provider, they will send you an email invitation from Partner Center. + +## Work with a solution provider + +Once you've found a solution provider and decided to work with them, they'll send you an invitation to work together from Partner Center. In Microsoft Store for Business or Education, you'll need to accept the invitation. After that, you can manage their permissions. + +**To accept a solution provider invitation** +1. **Follow email link** - You'll receive an email with a link to accept the solution provider invitation from your solution provider. The link will take you to Microsoft Store for Business or Education. +2. **Accept invitation** - On **Accept Partner Invitation**, select **Authorize** to accept the invitation, accept terms of the Microsoft Cloud Agreement, and start working with the solution provider. + +![Image shows accepting an invitation from a solution provider in Microsoft Store for Business.](images/msft-accept-partner.png) + +## Delegate admin privileges + +Depending on the request made by the solution provider, part of accepting the invitation will include agreeing to give delegated admin privileges to the solution provider. This will happen when the solution provider request includes acting as a delegated administrator. For more information, see [Delegated admin privileges in Azure AD](https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges#delegated-admin-privileges-in-azure-ad). + +If you don't want to delegate admin privileges to the solution provider, you'll need to cancel the invitation instead of accepting it. + +If you delegate admin privileges to a solution provider, you can remove that later. + +**To remove delegate admin privileges** +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com/). +2. Select **Partner** +3. Choose the Partner you want to manage. +4. Select **Remove Delegated Permissions**. + +The solution provider will still be able to work with you, for example, as a Reseller. diff --git a/windows/application-management/TOC.md b/windows/application-management/TOC.md index a57f6f1a55..110f01c7b0 100644 --- a/windows/application-management/TOC.md +++ b/windows/application-management/TOC.md @@ -5,7 +5,6 @@ ## [Understand apps in Windows 10](apps-in-windows-10.md) ## [Add apps and features in Windows 10](add-apps-and-features.md) ## [Repackage win32 apps in the MSIX format](msix-app-packaging-tool.md) -### [Learn how to repackage win32 apps in the MSIX format](msix-app-packaging-tool-walkthrough.md) ## [Application Virtualization (App-V) for Windows](app-v/appv-for-windows.md) ### [Getting Started with App-V](app-v/appv-getting-started.md) #### [What's new in App-V for Windows 10, version 1703 and earlier](app-v/appv-about-appv.md) diff --git a/windows/application-management/app-v/appv-about-appv.md b/windows/application-management/app-v/appv-about-appv.md index f0f2f8eb1a..eac656ed68 100644 --- a/windows/application-management/app-v/appv-about-appv.md +++ b/windows/application-management/app-v/appv-about-appv.md @@ -40,7 +40,7 @@ Previous versions of App-V have required you to manually remove your unpublished With Windows 10, version 1607 and later releases, App-V is now included with [Windows 10 for Enterprise and Windows 10 for Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home) and is no longer part of the Microsoft Desktop Optimization Pack. -To learn more about earlier versions of App-V, see [MDOP Information Experience](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/index). +To learn more about earlier versions of App-V, see [MDOP Information Experience](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index). The changes in App-V for Windows 10, version 1607 impact existing implementations of App-V in the following ways: diff --git a/windows/application-management/app-v/appv-auto-batch-sequencing.md b/windows/application-management/app-v/appv-auto-batch-sequencing.md index 9cca4f5fb8..9a0407dafc 100644 --- a/windows/application-management/app-v/appv-auto-batch-sequencing.md +++ b/windows/application-management/app-v/appv-auto-batch-sequencing.md @@ -93,7 +93,7 @@ There are 3 types of log files that occur when you sequence multiple apps at the - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) - [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index ff99b0273a..324dc031b3 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -147,7 +147,7 @@ There are three types of log files that occur when you sequence multiple apps at - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) - [Manually sequence a single app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) diff --git a/windows/application-management/app-v/appv-auto-provision-a-vm.md b/windows/application-management/app-v/appv-auto-provision-a-vm.md index 73c3fb6cdf..b71dacce5a 100644 --- a/windows/application-management/app-v/appv-auto-provision-a-vm.md +++ b/windows/application-management/app-v/appv-auto-provision-a-vm.md @@ -51,7 +51,7 @@ For this process to work, you must have a base operating system available as a V After you have a VHD file, you must provision your VM for auto-sequencing. 1. On the Host device, install Windows 10, version 1703 and the **Microsoft Application Virtualization (App-V) Auto Sequencer** component from the matching version of the Windows Assessment and Deployment Kit (ADK). For more info on how to install the App-V Sequencer, see [Install the App-V Sequencer](appv-install-the-sequencer.md). -2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server). +2. Make sure that Hyper-V is turned on. For more info about turning on and using Hyper-V, see [Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server). 3. Open PowerShell as an admin and run the **New-AppVSequencerVM** cmdlet, using the following parameters: ```PowerShell @@ -123,7 +123,7 @@ After you sequence your packages, you can automatically clean up any unpublished - [Download the **Convert-WindowsImage** tool](https://www.powershellgallery.com/packages/Convert-WindowsImage/10.0) - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) ## Have a suggestion for App-V? diff --git a/windows/application-management/app-v/appv-available-mdm-settings.md b/windows/application-management/app-v/appv-available-mdm-settings.md index d890609518..acc5e6e812 100644 --- a/windows/application-management/app-v/appv-available-mdm-settings.md +++ b/windows/application-management/app-v/appv-available-mdm-settings.md @@ -10,7 +10,7 @@ ms.date: 06/15/2018 --- # Available Mobile Device Management (MDM) settings for App-V -With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. +With Windows 10, version 1703, you can configure, deploy, and manage your App-V apps with the following Mobile Device Management (MDM) settings. For the full list of available settings, see the [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) page. |Policy name|Supported versions|URI full path|Data type|Values| |---|---|---|---|---| diff --git a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md index 8c896d56e2..2fbf152ae4 100644 --- a/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md +++ b/windows/application-management/app-v/appv-configure-connection-groups-to-ignore-the-package-version.md @@ -46,13 +46,13 @@ For more about adding or upgrading packages, see [How to add or upgrade packages Add-AppvClientConnectionGroup ``` - For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps). + For more information about how to use the **Add-AppvClientConnectionGroup** cmdlet, see [**Add-AppvClientConnectionGroup**](https://docs.microsoft.com/powershell/module/appvclient/add-appvclientconnectiongroup?view=win10-ps). 4. When you upgrade a package, use the following cmdlets to remove the old package, add the upgraded package, and publish the upgraded package: - - [**Remove-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps) - - [**Add-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/add-appvclientpackage?view=win10-ps) - - [**Publish-AppvClientPackage**](https://docs.microsoft.com/en-us/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps) + - [**Remove-AppvClientPackage**](https://docs.microsoft.com/powershell/module/appvclient/remove-appvclientpackage?view=win10-ps) + - [**Add-AppvClientPackage**](https://docs.microsoft.com/powershell/module/appvclient/add-appvclientpackage?view=win10-ps) + - [**Publish-AppvClientPackage**](https://docs.microsoft.com/powershell/module/appvclient/publish-appvclientpackage?view=win10-ps) For more information, see [How to manage App-V packages running on a stand-alone computer by using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md). diff --git a/windows/application-management/app-v/appv-create-and-use-a-project-template.md b/windows/application-management/app-v/appv-create-and-use-a-project-template.md index ee730d4a21..54c4e39515 100644 --- a/windows/application-management/app-v/appv-create-and-use-a-project-template.md +++ b/windows/application-management/app-v/appv-create-and-use-a-project-template.md @@ -49,7 +49,7 @@ After creating the template, you can apply it to all of your new virtual app pac - [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) - [How to install the App-V Sequencer](appv-install-the-sequencer.md) -- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) +- [Learn about Hyper-V on Windows Server 2016](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/hyper-v-on-windows-server) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) - [Manually sequence a new app using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-sequence-a-new-application.md) diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md index b6e27aece2..ee3f71058e 100644 --- a/windows/application-management/app-v/appv-delete-a-connection-group.md +++ b/windows/application-management/app-v/appv-delete-a-connection-group.md @@ -1,34 +1,30 @@ --- -title: How to Delete a Connection Group (Windows 10) -description: How to Delete a Connection Group +title: How to delete a connection group (Windows 10) +description: How to delete a connection group. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# How to delete a connection group - -# How to Delete a Connection Group - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Use the following procedure to delete an existing App-V connection group. -**To delete a connection group** +## Delete a connection group -1. Open the App-V Management Console and select **CONNECTION GROUPS**. +1. Open the App-V Management Console and select **CONNECTION GROUPS**. -2. Right-click the connection group to be removed, and select **delete**. +2. Right-click the connection group to be removed and select **delete**. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[Managing Connection Groups](appv-managing-connection-groups.md) +- [Operations for App-V](appv-operations.md) +- [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md index 0a3464836a..81a067b1eb 100644 --- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md +++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md @@ -1,32 +1,29 @@ --- -title: How to Delete a Package in the Management Console (Windows 10) -description: How to Delete a Package in the Management Console +title: How to delete a package in the Management Console (Windows 10) +description: How to delete a package in the Management Console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# How to delete a package in the Management Console - -# How to Delete a Package in the Management Console - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Use the following procedure to delete an App-V package. -**To delete a package in the Management Console** +## Delete a package in the Management Console -1. To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed. +1. To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed. -2. Click or right-click the package. Select **Delete** to remove the package. +2. Select or right-click the package, then select **Delete** to remove the package. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) +- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md index 439a1617b9..29eafeeefa 100644 --- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md @@ -1,45 +1,45 @@ --- -title: How to deploy App-V Packages Using Electronic Software Distribution (Windows 10) -description: How to deploy App-V Packages Using Electronic Software Distribution +title: How to deploy App-V packages using electronic software distribution (Windows 10) +description: How to deploy App-V packages using electronic software distribution. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - # How to deploy App-V packages using electronic software distribution -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients. -For component requirements and options for using an ESD to deploy App-V packages, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). +For component requirements and options for using an ESD to deploy App-V packages, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). Use one of the following methods to publish packages to App-V client computers with an ESD: +- Use the functionality in a third-party ESD. +- Install the application on the target client computer with the associated Windows Installer (.msi) file that's created when you initially sequence the application. The .msi file contains the associated App-V package file information used to configure a package and copies the required package files to the client. +- Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md). + | Method | Description | -| - | - | -| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.| +|---|---| +| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.| | Stand-alone Windows Installer | Install the application on the target client computer by using the associated Windows Installer (.msi) file that is created when you initially sequence an application. The Windows Installer file contains the associated App-V package file information used to configure a package and copies the required package files to the client. | -| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).| +| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).| -  +## Deploy App-V packages with an ESD -**To deploy App-V packages by using an ESD** +1. Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to install the Sequencer](appv-install-the-sequencer.md). -1. Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md). +2. Use the App-V Sequencer to create a virtual application. To learn more about creating virtual applications, see [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md). -2. Use the App-V Sequencer to create virtual application. For information about creating a virtual application, see [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md). - -3. After you create the virtual application, deploy the package by using your ESD solution. +3. After you create the virtual application, deploy the package by using your ESD solution. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -- [Operations for App-V](appv-operations.md) +- [Operations for App-V](appv-operations.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server.md b/windows/application-management/app-v/appv-deploy-the-appv-server.md index 4ffe1ba432..a8035796ac 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server.md @@ -27,7 +27,7 @@ ms.date: 04/18/2018 1. Download the App-V server components. All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: - * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/en-us/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. + * The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. * The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home). 2. Copy the App-V server installation files to the computer on which you want to install it. 3. Start the App-V server installation by right-clicking and running **appv\_server\_setup.exe** as an administrator, and then click **Install**. diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md index 5d6bd60233..ce2b61a864 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2010-wth-appv.md @@ -29,7 +29,7 @@ The following table shows the App-V versions, methods of Office package creation ## Creating Office 2010 App-V using the sequencer -Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. For detailed instructions about how to create an Office 2010 package on App-V, see [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/en-us/kb/2830069). +Sequencing Office 2010 is one of the main methods for creating an Office 2010 package on App-V. Microsoft has provided a detailed recipe through a Knowledge Base article. For detailed instructions about how to create an Office 2010 package on App-V, see [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069). ## Creating Office 2010 App-V packages using package accelerators @@ -78,13 +78,13 @@ The following table provides a full list of supported integration points for Off ### Office 2013 App-V Packages Additional Resources -* [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/en-us/kb/2772509) +* [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/kb/2772509) ### Office 2010 App-V Packages * [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/en-us/download/details.aspx?id=38399) -* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/en-us/kb/2828619) -* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/en-us/kb/2830069) +* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/kb/2828619) +* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069) ### Connection Groups diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md index 7b63794730..35d2485f4b 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2013-with-appv.md @@ -35,7 +35,7 @@ Before you deploy Office with App-V, review the following requirements. |---|---| |Packaging|All Office applications you wish to deploy to users must be in a single package.
    In App-V and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
    If you're deploying Microsoft Visio 2013 and Microsoft Project 2013 along with Office, you must include them in the same package with Office. For more information, see [Deploying Visio 2013 and Project 2013 with Office](#bkmk-deploy-visio-project).| |Publishing|You can only publish one Office package per client computer.
    You must publish the Office package globally, not to the user.| -|Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/en-us/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
    You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.| +|Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer using Remote Desktop Services.|You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus).
    You don’t need to use shared computer activation if you’re deploying a volume licensed product, such as Office Professional Plus 2013, Visio Professional 2013, or Project Professional 2013.| ### Excluding Office applications from a package @@ -43,7 +43,7 @@ The following table describes the recommended methods for excluding specific Off |Task|Details| |---|---| -|Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
    For more information, see [ExcludeApp element](https://docs.microsoft.com/en-us/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element).| +|Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool.|Enables you to exclude specific Office applications from the package when the Office Deployment Tool creates the package. For example, you can use this setting to create a package that contains only Microsoft Word.
    For more information, see [ExcludeApp element](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element).| |Modify the **DeploymentConfig.xml** file|Modify the **DeploymentConfig.xml** file after creating the package. This file contains the default package settings for all users on a computer running the App-V Client.
    For more information, see [Disabling Office 2013 applications](#bkmk-disable-office-apps).| ## Creating an Office 2013 package for App-V with the Office Deployment Tool @@ -302,7 +302,7 @@ Use the steps in this section to enable Office plug-ins with your Office package You may want to disable specific applications in your Office App-V package. For instance, you can disable Access, but leave all other Office application main available. When you disable an application, the end user will no longer see the shortcut for that application. You do not have to re-sequence the application. When you change the Deployment Configuration File after the Office 2013 App-V package has been published, you will save the changes, add the Office 2013 App-V package, then republish it with the new Deployment Configuration File to apply the new settings to Office 2013 App-V Package applications. >[!NOTE] ->To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://docs.microsoft.com/en-us/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element). +>To exclude specific Office applications (for example, Access and InfoPath) when you create the App-V package with the Office Deployment Tool, use the **ExcludeApp** setting. For more information, see [Reference for Click-to-Run configuration.xml file](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool#excludeapp-element). #### To disable an Office 2013 application @@ -408,20 +408,20 @@ This section describes the requirements and options for deploying Visio 2013 and |Goal|Method| |---|---| |Create two different packages and deploy each one to a different group of users|Create and deploy the following packages:
    A package that contains only Office—deploy to computers whose users need only Office.
    A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.| -|Create just one package for the whole organization, or for users who share computers|Follow these steps:
    1. Create a package that contains Office, Visio, and Project.
    2. Deploy the package to all users.
    3. Use [AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project.| +|Create just one package for the whole organization, or for users who share computers|Follow these steps:
    1. Create a package that contains Office, Visio, and Project.
    2. Deploy the package to all users.
    3. Use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project.| ## Additional resources ### Additional resources for Office 2013 App-V Packages * [Office 2013 Deployment Tool for Click-to-Run](https://www.microsoft.com/download/details.aspx?id=36778) -* [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/en-us/kb/2772509) +* [Supported scenarios for deploying Microsoft Office as a sequenced App-V Package](https://support.microsoft.com/kb/2772509) ### Additional resources for Office 2010 App-V Packages * [Microsoft Office 2010 Sequencing Kit for Microsoft Application Virtualization 5.0](https://www.microsoft.com/download/details.aspx?id=38399) -* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/en-us/kb/2828619) -* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/en-us/kb/2830069) +* [Known issues when you create or use an App-V 5.0 Office 2010 package](https://support.microsoft.com/kb/2828619) +* [How To Sequence Microsoft Office 2010 in Microsoft Application Virtualization 5.0](https://support.microsoft.com/kb/2830069) ### Additional resources for Connection Groups diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index e43a70509e..63932df3b0 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,6 +1,6 @@ --- -title: Deploying Microsoft Office 2016 by Using App-V (Windows 10) -description: Deploying Microsoft Office 2016 by Using App-V +title: Deploying Microsoft Office 2016 by using App-V (Windows 10) +description: Deploying Microsoft Office 2016 by using App-V author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy @@ -8,7 +8,7 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 --- -# Deploying Microsoft Office 2016 by Using App-V +# Deploying Microsoft Office 2016 by using App-V >Applies to: Windows 10, version 1607 @@ -35,7 +35,7 @@ Before you deploy Office with App-V, review the following requirements. |-----------|-------------------| | Packaging. | All Office applications that you deploy to users must be in a single package.
    In App-V 5.0 and later, you must use the Office Deployment Tool to create packages. The Sequencer doesn't support package creation.
    If you're deploying Microsoft Visio 2016 and Microsoft Project 2016 at the same time as Office, you must put them all in the same package. For more information, see [Deploying Visio 2016 and Project 2016 with Office](#deploying-visio-2016-and-project-2016-with-office). | | Publishing. | You can only publish one Office package per client computer.
    You must publish the Office package globally, not to the user. | -| Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/en-us/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). | +| Deploying Office 365 ProPlus, Visio Pro for Office 365, or Project Pro for Office 365 to a shared computer with Remote Desktop Services. | You must enable [shared computer activation](https://docs.microsoft.com/DeployOffice/overview-of-shared-computer-activation-for-office-365-proplus). | ### Excluding Office applications from a package @@ -43,7 +43,7 @@ The following table describes the recommended methods for excluding specific Off |Task|Details| |-------------|---------------| -| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | With this setting, you can exclude specific Office applications from the package that the Office Deployment Tool creates. For example, you can use this setting to create a package that contains only Microsoft Word.
    For more information, see [ExcludeApp element](https://docs.microsoft.com/en-us/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element). | +| Use the **ExcludeApp** setting when you create the package by using the Office Deployment Tool. | With this setting, you can exclude specific Office applications from the package that the Office Deployment Tool creates. For example, you can use this setting to create a package that contains only Microsoft Word.
    For more information, see [ExcludeApp element](https://docs.microsoft.com/DeployOffice/configuration-options-for-the-office-2016-deployment-tool?ui=en-US&rs=en-US&ad=US#excludeapp-element). | | Modify the DeploymentConfig.xml file | Modify the DeploymentConfig.xml file after the package has been created. This file contains the default package settings for all users on a computer that is running the App-V Client.
    For more information, see [Disabling Office 2016 applications](#disabling-office-2016-applications). | ## Creating an Office 2016 package for App-V with the Office Deployment Tool @@ -120,7 +120,7 @@ The XML file included in the Office Deployment Tool specifies the product detail | Language element | Specifies which language the applications support. | `Language ID="en-us"` | | Version (attribute of **Add** element) | Optional. Specifies which build the package will use.
    Defaults to latest advertised build (as defined in v32.CAB at the Office source). | `16.1.2.3` | | SourcePath (attribute of **Add** element) | Specifies the location the applications will be saved to. | `Sourcepath = "\\Server\Office2016"` | - | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
    The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Online Desktop Client.
    For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://docs.microsoft.com/en-us/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
    `Channel="Deferred"`
    `Channel="FirstReleaseDeferred"`
    `Channel="FirstReleaseCurrent"` | + | Channel (part of **Add** element) | Optional. Defines which channel will be used to update Office after installation.
    The default is **Deferred** for Office 365 ProPlus and **Current** for Visio Pro for Office 365 and Project Online Desktop Client.
    For more information about update channels, see [Overview of update channels for Office 365 ProPlus](https://docs.microsoft.com/DeployOffice/overview-of-update-channels-for-office-365-proplus). | `Channel="Current"`
    `Channel="Deferred"`
    `Channel="FirstReleaseDeferred"`
    `Channel="FirstReleaseCurrent"` | After editing the **configuration.xml** file to specify the desired product, languages, and the location where the Office 2016 applications will be saved to, you can save the configuration file under a name of your choice, such as "Customconfig.xml." 2. **Download the applications into the specified location:** Use an elevated command prompt and a 64-bit operating system to download the Office 2016 applications that will later be converted into an App-V package. The following is an example command: @@ -369,7 +369,7 @@ The following table describes the requirements and options for deploying Visio 2 | Task | Details | |---------------------|---------------| | How do I package and publish Visio 2016 and Project 2016 with Office? | You must include Visio 2016 and Project 2016 in the same package with Office.
    If you are not deploying Office, you can create a package that contains Visio and/or Project, as long as you follow the packaging, publishing, and deployment requirements described in this topic. | -| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
    **To create two different packages and deploy each one to a different group of users**:
    Create and deploy the following packages:
    - A package that contains only Office—deploy to computers whose users need only Office.
    - A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.

    **To create only one package for the whole organization, or to create a package intended for users who share computers**:
    1. Create a package that contains Office, Visio, and Project.
    2. Deploy the package to all users.
    3. Use [AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. | +| How can I deploy Visio 2016 and Project 2016 to specific users? | Use one of the following methods:
    **To create two different packages and deploy each one to a different group of users**:
    Create and deploy the following packages:
    - A package that contains only Office—deploy to computers whose users need only Office.
    - A package that contains Office, Visio, and Project—deploy to computers whose users need all three applications.

    **To create only one package for the whole organization, or to create a package intended for users who share computers**:
    1. Create a package that contains Office, Visio, and Project.
    2. Deploy the package to all users.
    3. Use [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/applocker/applocker-overview) to prevent specific users from using Visio and Project. | ## Related topics diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md index 79da7a2972..05f4985ae8 100644 --- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md @@ -1,55 +1,34 @@ --- -title: Deploying App-V Packages by Using Electronic Software Distribution (ESD) -description: Deploying App-V Packages by Using Electronic Software Distribution (ESD) +title: Deploying App-V packages by using electronic software distribution (ESD) +description: Deploying App-V packages by using electronic software distribution (ESD) author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# Deploying App-V packages by using electronic software distribution (ESD) +>Applies to: Windows 10, version 1607 -# Deploying App-V Packages by Using Electronic Software Distribution (ESD) +You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). -**Applies to** -- Windows 10, version 1607 - -You can deploy App-V packages using an Electronic Software Distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md). - -To deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to Application Management in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682125.aspx#BKMK_Appv) +To learn how to deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv) ## How to deploy virtualized packages using an ESD +To learn more about how to deploy virtualized packages using an ESD, see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md). -Describes the methods you can use to deploy App-V packages by using an ESD. +## How to enable only administrators to publish packages by using an ESD -[How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md) +To learn how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD, see [How to enable only administrators to publish packages by using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md). -## How to Enable Only Administrators to Publish Packages by Using an ESD +## Related topics - -Explains how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD. - -[How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md) +- [App-V and Citrix integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885) +- [Operations for App-V](appv-operations.md) ## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). - -## Other resources for using an ESD and App-V - - -Use the following link for more information about [App-V and Citrix Integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885). - -[Operations for App-V](appv-operations.md) - -  - -  - - - - - +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md index 58d77d2a5a..638235a066 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md @@ -1,6 +1,6 @@ --- -title: Deploying the App-V Sequencer and Configuring the Client (Windows 10) -description: Deploying the App-V Sequencer and Configuring the Client +title: Deploying the App-V Sequencer and configuring the client (Windows 10) +description: Deploying the App-V Sequencer and configuring the client author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-deploying-the-appv-server.md b/windows/application-management/app-v/appv-deploying-the-appv-server.md index 2b88ff503b..010925239a 100644 --- a/windows/application-management/app-v/appv-deploying-the-appv-server.md +++ b/windows/application-management/app-v/appv-deploying-the-appv-server.md @@ -40,13 +40,13 @@ App-V offers the following five server components, each of which serves a specif All five App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package, which can be downloaded from either of the following locations: -* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/en-us/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. +* The [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215). You must have a MSDN subscription to download the MDOP ISO package from this site. * The [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx) if you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home). In large organizations, you might want to install more than one instance of the server components to get the following benefits. * Fault tolerance for situations when one of the servers is unavailable. -* High availability to balance server requests. A network load balancer can also help you acheive this. +* High availability to balance server requests. A network load balancer can also help you achieve this. * Scalability to support high loads. For example, you can install additional servers behind a network load balancer. ## App-V standalone deployment @@ -107,4 +107,4 @@ For more information, see [About App-V reporting](appv-reporting.md) and [How to ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md index 5cc4247912..e0b0f8d0f6 100644 --- a/windows/application-management/app-v/appv-dynamic-configuration.md +++ b/windows/application-management/app-v/appv-dynamic-configuration.md @@ -6,110 +6,84 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# About App-V dynamic configuration +>Applies to: Windows 10, version 1607 -# About App-V Dynamic Configuration +You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file. -**Applies to** -- Windows 10, version 1607 - -You can use the dynamic configuration to customize an App-V package for a user. Use the following information to create or edit an existing dynamic configuration file. - -When you edit the dynamic configuration file it customizes how an App-V package will run for a user or group. This helps to provide a more convenient method for package customization by removing the need to re-sequence packages using the desired settings, and provides a way to keep package content and custom settings independent. - -## Advanced: Dynamic Configuration +When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. This makes package customization more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent. +## Advanced: dynamic configuration Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files: -- User Configuration file +- User Configuration file +- Deployment Configuration file -- Deployment configuration file +These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed. -The previous .xml files specify package settings and allow for packages to be customized without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. Therefore, these automatically generated configuration files simply reflect the default settings that the package innately as from how things were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed. +>[!NOTE] +>The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements. -**Note**   -The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements. +## Dynamic Configuration file contents -  +All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. The following list represents the relationship between these files in how they'll be read, from most to least precedence: -### Dynamic Configuration file contents +- User Configuration .xml file +- Deployment Configuration .xml file +- Package Manifest -All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. Review the following table: +The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to that, it will override both the deployment configuration and the Package Manifest's defaults. - --- - - - - - - - - - - - -

    User Configuration .xml file

    Deployment Configuration .xml file

    Package Manifest

    +There are two types of configuration files: -  +- **User Configuration file (UserConfig)**: Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V client. +- **Deployment Configuration file (DeploymentConfig)**: Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V client. -The previous table represents how the files will be read. The first entry represents what will be read last, therefore, its content takes precedence. Therefore, all packages inherently contain and provide default settings from the package manifest. If a deployment configuration .xml file with customized settings is applied, it will override the package manifest defaults. If a user configuration .xml file with customized settings is applied prior to that, it will override both the deployment configuration and the package manifest defaults. +You can use the UserConfig file to customize the settings for a package for a specific set of users on a computer or make changes that will be applied to local user locations such as HKCU. You can use the DeploymentConfig file to modify the default settings of a package for all users on a machine or make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the All Users folder. -The following list displays more information about the two file types: +The UserConfig file provides configuration settings that you can apply to a single user without affecting any other users on a client: -- **User Configuration File (UserConfig)** – Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V client. +- Extensions that will be integrated into the native system per user: shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. +- Virtual Subsystems: Application Objects, Environment variables, Registry modifications, Services, and Fonts. +- Scripts (user context only). -- **Deployment Configuration File (DeploymentConfig)** – Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V client. +The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the preceding UserConfig list: -To customize the settings for a package for a specific set of users on a computer or to make changes that will be applied to local user locations such as HKCU, the UserConfig file should be used. To modify the default settings of a package for all users on a machine or to make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the all users folder, the DeploymentConfig file should be used. +- All UserConfig settings from the preceding section in this topic +- Extensions that can only be applied globally for all users +- Virtual Subsystems that can be configured for global machine locations, such as the registry +- Product Source URL +- Scripts (Machine context only) +- Controls to terminate child processes -The UserConfig file provides configuration settings that can be applied to a single user without affecting any other users on a client: - -- Extensions that will be integrated into the native system per user:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM - -- Virtual Subsystems:- Application Objects, Environment variables, Registry modifications, Services and Fonts - -- Scripts (User context only) - -The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the UserConfig list above: - -- All UserConfig settings above - -- Extensions that can only be applied globally for all users - -- Virtual Subsystems that can be configured for global machine locations e.g. registry - -- Product Source URL - -- Scripts (Machine context only) - -- Controls to Terminate Child Processes - -### File structure +## File structure The structure of the App-V Dynamic Configuration file is explained in the following section. -### Dynamic User Configuration file +## Dynamic User Configuration file -**Header** - the header of a dynamic user configuration file is as follows: +### Header -``` +The following is an example of a Dynamic User Configuration file's header: + +```xml ``` -The **PackageId** is the same value as exists in the Manifest file. +The **PackageId** is the same value that exists in the Manifest file. -**Body** - the body of the Dynamic User Configuration file can include all the app extension points that are defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: +### Dynamic User Configuration file body -**Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored. +The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body: -``` +**Applications**: All app-extensions contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored. + +```xml @@ -120,9 +94,9 @@ The **PackageId** is the same value as exists in the Manifest file. ``` -**Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the : +**Subsystems**: AppExtensions and other subsystems are arranged as subnodes under ``, as shown in the following example. -``` +```xml .. @@ -131,19 +105,21 @@ The **PackageId** is the same value as exists in the Manifest file. ``` -Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples. +Each subsystem can be enabled/disabled using the **Enabled** attribute. The following sections describe the various subsystems and usage samples. -**Extensions:** +### Dynamic User Configuration file extensions -Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM +Extension Subsystems control extensions. These subsystems are Shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM. -Extension Subsystems can be enabled and disabled independently of the content.  Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. +Extension Subsystems can be enabled and disabled independently of the content.  Therefore, if Shortcuts are enabled, the client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an `` node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file. -Example using the shortcuts subsystem: +### Examples of the shortcuts subsystem -**Example 1**
    If the user defined this in either the dynamic or deployment config file: +#### Example 1 -``` +Content will be ignored if the user defined the following in either the dynamic or deployment config file: + +```xml                                                                         ``` -Content in the manifest will be ignored.    +#### Example 2 -**Example 2**
    If the user defined only the following: +Content in the manifest will be integrated during publishing if the user defined only the following: + +```xml                             `` - -Then the content in the Manifest will be integrated during publishing. - -**Example 3**
    If the user defines the following - ``` + +#### Example 3 + +All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following: + +```xml                                                                                                     ``` -Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated. +### Supported Extension Subsystems -The supported Extension Subsystems are: +**Shortcuts**: This controls shortcuts that will be integrated into the local system. The following example has two shortcuts: -**Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts: - -``` +```xml   @@ -209,9 +186,9 @@ The supported Extension Subsystems are: ``` -**File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below: +**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this susbsystem). The following is an example of a FileType association: -``` +```xml @@ -275,9 +252,9 @@ The supported Extension Subsystems are: ``` -**URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”. +**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” ptrotocol. -``` +```xml @@ -322,17 +299,17 @@ The supported Extension Subsystems are:   ``` -**Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client. +**Software Clients**: Allows the app to register as an email client, news reader, or media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases, you only need to enable and disable it. There's also a control that lets you enable or disable the email client only in case you want all the other clients to remain as they are. -``` +```xml   ``` -**AppPaths**: If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe. +**AppPaths**: If an application, such as contoso.exe, is registered with an apppath name of “myapp”, this subsystem lets you open the app by entering “myapp” into the run menu. -``` +```xml @@ -349,21 +326,25 @@ The supported Extension Subsystems are: ``` -**COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. - -` ` - -**Other Settings**: - -In addition to Extensions, other subsystems can be enabled/disabled and edited: - -**Virtual Kernel Objects**: - -` ` - -**Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU +**COM**: Allows an Application to register Local COM servers. Mode can be Integration, Isolated or Off. When Isol. +```xml + ``` + +### Other settings for Dynamic User Configuration file + +In addition to Extensions, the following other subsystems can be enabled/disabled and edited. + +#### Virtual Kernel Objects + +```xml + +```xml + +**Virtual Registry**: use this if you want to set a registry in the Virtual Registry within HKCU. + +```xml @@ -375,17 +356,21 @@ In addition to Extensions, other subsystems can be enabled/disabled and edited:   ``` -**Virtual File System** - -`       ` - -**Virtual Fonts** - -`       ` - -**Virtual Environment Variables** +#### Virtual File System +```xml +       ``` + +#### Virtual Fonts + +```xml +       +``` + +#### Virtual Environment Variables + +```xml         @@ -397,32 +382,39 @@ In addition to Extensions, other subsystems can be enabled/disabled and edited:          ``` -**Virtual services** - -`       ` - -**UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used. - -### Dynamic Deployment Configuration file - -**Header** - The header of a Deployment Configuration file is as follows: +#### Virtual services +```xml +       ``` + +#### UserScripts + +Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Please refer to a sample User Configuration file output by the sequencer to see a sample script. See the [Scripts](appv-dynamic-configuration.md#scripts) section for more information about the various triggers you can use to set up scripts. + +## Dynamic Deployment Configuration file + +### Dynamic Deployment Configuration file header + +The header of a Deployment Configuration file should look something like this: + +```xml ``` -The **PackageId** is the same value as exists in the manifest file. +The **PackageId** is the same value as the one that exists in the Manifest file. -**Body** - The body of the deployment configuration file includes two sections: +### Dynamic Deployment Configuration file body -- User Configuration section –allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. +The body of the deployment configuration file includes two sections: -- Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. +- The User Configuration section allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest. +- The Machine Configuration section contains information that can only be configured for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS. -``` +```xml -  .. +.. .. @@ -432,13 +424,15 @@ The **PackageId** is the same value as exists in the manifest file. ``` -**User Configuration** - use the previous **Dynamic User Configuration file** section for information on settings that are provided in the user configuration section of the Deployment Configuration file. +User Configuration: see [Dynamic User Configuration](appv-dynamic-configuration.md#dynamic-user-configuration) for more information about this section. -Machine Configuration - the Machine configuration section of the Deployment Configuration File is used to configure information that can be set only for an entire machine, not for a specific user on the computer. For example, HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. There are four subsections allowed in under this element +Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections. -1. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under : +#### Subsystems -``` +AppExtensions and other subsystems are arranged as subnodes under ``: + +```xml     .. @@ -447,15 +441,17 @@ Machine Configuration - the Machine configuration section of the Deployment Conf ``` -The following section displays the various subsystems and usage samples. +The following section describes the various subsystems and usage samples. -**Extensions**: +#### Extensions -Some subsystems (Extension Subsystems) control Extensions which can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also apply to those in the MachineConfiguration section. +Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration. -**Application Capabilities**: Used by default programs in windows operating system Interface. Allows an application to register itself as capable of opening certain file extensions, as a contender for the start menu internet browser slot, as capable of opening certain windows MIME types.  This extension also makes the virtual application visible in the Set Default Programs UI.: +#### Application Capabilities -``` +Used by default programs in the Windows OS interface, the Application Capabilities extension allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI. + +```xml       @@ -491,13 +487,13 @@ Some subsystems (Extension Subsystems) control Extensions which can only apply t ``` -**Other Settings**: +#### Other settings for Dynamic Deployment Configuration file -In addition to Extensions, other subsystems can be edited: +You can edit other subsystems in addition to extensions: -**Machine Wide Virtual Registry**: Used when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine +- Machine-wide Virtual Registry: use this when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine. -``` +```xml   @@ -509,9 +505,9 @@ In addition to Extensions, other subsystems can be edited: ``` -**Machine Wide Virtual Kernel Objects** +- Machine-wide Virtual Kernel Objects -``` +```xml     @@ -519,23 +515,23 @@ In addition to Extensions, other subsystems can be edited: ``` -**ProductSourceURLOptOut**: Indicates whether the URL for the package can be modified globally through PackageSourceRoot (to support branch office scenarios). Default is false and the setting change takes effect on the next launch. +- ProductSourceURLOptOut: Indicates whether the URL for the package can be modified globally through PackageSourceRoot to support branch office scenarios. It's set to False by default. Changes to the value take effect on the next launch. -``` +```xml -   ..  +   ..      .. ``` -**MachineScripts** – Package can be configured to execute scripts at time of deployment, publishing or removal. Please reference a sample deployment configuration file that is generated by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used +- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, please see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts. -**TerminateChildProcess**:- An application executable can be specified, whose child processes will be terminated when the application exe process is terminated. +- TerminateChildProcess: you can use this to specify that an application executable's child processes will be terminated when the application.exe process is terminated. -``` +```xml -   ..    +   ..              @@ -549,113 +545,33 @@ In addition to Extensions, other subsystems can be edited: The following table describes the various script events and the context under which they can be run. - -------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Script Execution TimeCan be specified in Deployment ConfigurationCan be specified in User ConfigurationCan run in the Virtual Environment of the packageCan be run in the context of a specific applicationRuns in system/user context: (Deployment Configuration, User Configuration)

    AddPackage

    X

    (SYSTEM, N/A)

    PublishPackage

    X

    X

    (SYSTEM, User)

    UnpublishPackage

    X

    X

    (SYSTEM, User)

    RemovePackage

    X

    (SYSTEM, N/A)

    StartProcess

    X

    X

    X

    X

    (User, User)

    ExitProcess

    X

    X

    X

    (User, User)

    StartVirtualEnvironment

    X

    X

    X

    (User, User)

    TerminateVirtualEnvironment

    X

    X

    (User, User)

    - -  +|Script execution time|Can be specified in Deployment Configuration|Can be specified in User Configuration|Can run in the package's virtual environment|Can be run in the context of a specific application|Runs in system/user context: (Deployment Configuration, User Configuration)| +|---|:---:|:---:|:---:|:---:|:---:| +|AddPackage|X||||(SYSTEM, N/A)| +|PublishPackage|X|X|||(SYSTEM, User)| +|UnpublishPackage|X|X|||(SYSTEM, User)| +|RemovePackage|X||||(SYSTEM, N/A)| +|StartProcess|X|X|X|X|(User, User)| +|ExitProcess|X|X||X|(User, User)| +|StartVirtualEnvironment|X|X|X||(User, User)| +|TerminateVirtualEnvironment|X|X|||(User, User)| ### Using multiple scripts on a single event trigger App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client. -**How to use multiple scripts on a single event trigger:** +#### How to use multiple scripts on a single event trigger -For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application then runs each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. +For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application will run each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger. -**Note**   -We recommended that you run the multi-script line from a command prompt first to make sure that all arguments are built correctly before adding them to the deployment configuration file. +>[!NOTE] +>We recommended you first run the multi-script line from a command prompt to make sure all arguments are built correctly before adding them to the deployment configuration file. -  - -**Example script and parameter descriptions** +#### Example script and parameter descriptions Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run. -``` syntax +```xml ScriptRunner.exe @@ -669,78 +585,29 @@ Using the following example file and table, modify the deployment or user config ``` - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    Parameter in the example fileDescription

    Name of the event trigger for which you are running a script, such as adding a package or publishing a package.

    ScriptRunner.exe

    The script launcher application that is included in the App-V client.

    -
    -Note   -

    Although ScriptRunner.exe is included in the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.

    -
    -
    -  -
    
--appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
+|Parameter in the example file|Description|
+|---|---|
+|``|Name of the event trigger you're running a script for, such as when adding or publishing a package.|
+|`ScriptRunner.exe`|The script launcher application included in the App-V client.

    Although ScriptRunner.exe is included in the App-V client, the App-V client's location must be in %path% or ScriptRunner won't run. `ScriptRunner.exe` is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.|
+|`-appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10`

    `-appvscript script2.vbs arg1 arg2`

    `-appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror`|`-appvscript`—token that represents the actual script you want to run.
    `script1.exe`—name of the script you want to run.
    `arg1 arg2`—arguments for the script you want to run.
    `-appvscriptrunnerparameters`—token that represents the execution options for script1.exe.
    `-wait`—token that tells ScriptRunner to wait for execution of script1.exe to finish before proceeding to the next script.
    `-timeout=x`—token that informs ScriptRunner to stop running the current script after *x* number of seconds. All other specified scripts will still run.
    `-rollbackonerror`—token that tells ScriptRunner to stop running all scripts that haven't yet run and roll back an error to the App-V client.|
+|``|Waits for overall completion of ScriptRunner.exe.

    Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

    If any individual script reported an error and rollbackonerror was set to True, then ScriptRunner should report the error to App-V client.|
 
--appvscript script2.vbs arg1 arg2
-
--appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror
-

    -appvscript - Token that represents the actual script that you want to run.

    -

    script1.exe – Name of the script that you want to run.

    -

    arg1 arg2 – Arguments for the script that you want to run.

    -

    -appvscriptrunnerparameters – Token that represents the execution options for script1.exe

    -

    -wait – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script.

    -

    -timeout=x – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts will still run.

    -

    -rollbackonerror – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client.

    Waits for overall completion of ScriptRunner.exe.

    -

    Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.

    -

    If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client.

    - -  - -ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script will not run. +ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type isn't associated with any of the computer's applications, the script won't run. ### Create a Dynamic Configuration file using an App-V Manifest file -You can create the Dynamic Configuration file using one of three methods: either manually, using the App-V Management Console or sequencing a package, which will be generated with 2 sample files. +You can create the Dynamic Configuration file using one of three methods: manually, using the App-V Management Console, or by sequencing a package, which will generate a package with two sample files. -For more information about how to create the file using the App-V Management Console see, [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md). +For more information about how to create the file using the App-V Management Console, see [How to create a Custom Configuration file by using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md). -To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer. +To create the file manually, you can combine the components listed in the previous sections into a single file. However, we recommend you use files generated by the sequencer instead of manually created ones. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md) - -[How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md) - -[Operations for App-V](appv-operations.md) +- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md) +- [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md) +- [Operations for App-V](appv-operations.md) diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md index 3ae3740c77..803d11d76e 100644 --- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md @@ -8,25 +8,22 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 --- +# How to enable only administrators to publish packages by using an ESD - -# How to Enable Only Administrators to Publish Packages by Using an ESD - -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks. -**To enable only administrators to publish or unpublish packages** +Here's how to enable only administrators to publish or unpublish packages: -1. Navigate to the following Group Policy Object node: +1. Navigate to the following Group Policy Object node: - **Computer Configuration > Administrative Templates > System > App-V > Publishing**. + **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**. -2. Enable the **Require publish as administrator** Group Policy setting. +2. Enable the **Require publish as administrator** Group Policy setting. - To instead use Windows PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs). + To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md index c21abca90a..b6df634063 100644 --- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md +++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md @@ -8,8 +8,6 @@ ms.sitesec: library ms.prod: w10 ms.date: 04/19/2017 --- - - # How to Enable Reporting on the App-V Client by Using Windows PowerShell **Applies to** diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md index ff0ad45667..0696778b9f 100644 --- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md +++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md @@ -35,7 +35,7 @@ Check out these articles for more information about how to configure the App-V c * [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) * [How to modify client configuration by using Windows PowerShell](appv-modify-client-configuration-with-powershell.md) * [Using the client management console](appv-using-the-client-management-console.md) -* [How to configure the client to receive package and connection group updates From the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) +* [How to configure the client to receive package and connection group updates from the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md) ## Have a suggestion for App-V? diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md index 857938e467..3642e254c5 100644 --- a/windows/application-management/app-v/appv-for-windows.md +++ b/windows/application-management/app-v/appv-for-windows.md @@ -6,64 +6,61 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - - # Application Virtualization (App-V) for Windows 10 overview -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 -The topics in this section provide information and step-by-step procedures to help you administer App-V and its components. This information will be valuable for system administrators who manage large installations with many servers and clients and for support personnel who interact directly with the computers or the end users. +The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users. -[Getting Started with App-V](appv-getting-started.md) +[Getting started with App-V](appv-getting-started.md) - [What's new in App-V](appv-about-appv.md) - [Evaluating App-V](appv-evaluating-appv.md) -- [High Level Architecture for App-V](appv-high-level-architecture.md) +- [High-level architecture for App-V](appv-high-level-architecture.md) [Planning for App-V](appv-planning-for-appv.md) -- [Preparing Your Environment for App-V](appv-preparing-your-environment.md) -- [App-V Prerequisites](appv-prerequisites.md) -- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md) -- [App-V Supported Configurations](appv-supported-configurations.md) -- [App-V Planning Checklist](appv-planning-checklist.md) +- [Preparing your environment for App-V](appv-preparing-your-environment.md) +- [App-V prerequisites](appv-prerequisites.md) +- [Planning to deploy App-V](appv-planning-to-deploy-appv.md) +- [App-V supported configurations](appv-supported-configurations.md) +- [App-V planning checklist](appv-planning-checklist.md) [Deploying App-V](appv-deploying-appv.md) -- [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md) +- [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md) - [Deploying the App-V Server](appv-deploying-the-appv-server.md) -- [App-V Deployment Checklist](appv-deployment-checklist.md) -- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md) -- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md) -- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) +- [App-V deployment checklist](appv-deployment-checklist.md) +- [Deploying Microsoft Office 2016 by using App-V](appv-deploying-microsoft-office-2016-with-appv.md) +- [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md) +- [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) [Operations for App-V](appv-operations.md) -- [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md) +- [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md) - [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md) - [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md) - [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md) -- [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) -- [Managing Connection Groups](appv-managing-connection-groups.md) -- [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) +- [Administering App-V Virtual Applications by using the Management Console](appv-administering-virtual-applications-with-the-management-console.md) +- [Managing connection groups](appv-managing-connection-groups.md) +- [Deploying App-V packages by using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md) - [Using the App-V Client Management Console](appv-using-the-client-management-console.md) -- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) -- [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md) +- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md) +- [Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md) - [Maintaining App-V](appv-maintaining-appv.md) -- [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) [Troubleshooting App-V](appv-troubleshooting.md) -[Technical Reference for App-V](appv-technical-reference.md) +[Technical reference for App-V](appv-technical-reference.md) -- [Performance Guidance for Application Virtualization](appv-performance-guidance.md) -- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md) -- [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md) -- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) +- [Performance guidance for Application Virtualization](appv-performance-guidance.md) +- [Application publishing and client interaction](appv-application-publishing-and-client-interaction.md) +- [Viewing App-V Server publishing metadata](appv-viewing-appv-server-publishing-metadata.md) +- [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md) ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-getting-started.md b/windows/application-management/app-v/appv-getting-started.md index 1003f2f5a6..98794a0cb4 100644 --- a/windows/application-management/app-v/appv-getting-started.md +++ b/windows/application-management/app-v/appv-getting-started.md @@ -21,7 +21,7 @@ If you’re already using App-V, performing an in-place upgrade to Windows 10 on >[!IMPORTANT] >You can upgrade your existing App-V installation to App-V for Windows from App-V versions 5.0 SP2 and higher only. If you are using an earlier version of App-V, you’ll need to upgrade your existing App-V installation to App-V 5.0 SP2 before upgrading to App-V for Windows. -To learn more about previous versions of App-V, see [MDOP information experience](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/index). +To learn more about previous versions of App-V, see [MDOP information experience](https://docs.microsoft.com/microsoft-desktop-optimization-pack/index). ## Getting started with App-V for Windows 10 (new installations) @@ -31,7 +31,7 @@ To start using App-V to deliver virtual applications to users, you’ll need to | Component | What it does | Where to find it | |------------|--|------| -| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

    If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

    If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/en-us/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

    If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx).

    See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| +| App-V server components | App-V offers five server components that work together to allow you to host and publish virtual applications, generate usage reports, and manage your App-V environment. For more details, see [Deploying the App-V Server](appv-deploying-the-appv-server.md).

    If you're already using App-V 5.x, you don't need to redeploy the App-V server components, as they haven't changed since App-V 5.0's release. | The App-V server components are included in the Microsoft Desktop Optimization Pack (MDOP) 2015 ISO package that can be downloaded from the following locations:

    If you have a Microsoft Developer Network (MSDN) subscription, use the [MSDN (Microsoft Developer Network) subscriptions site](https://msdn.microsoft.com/subscriptions/downloads/default.aspx#FileId=65215) to download the MDOP ISO package.

    If you're using [Windows 10 for Enterprise or Education](https://www.microsoft.com/en-us/WindowsForBusiness/windows-product-home), download it from the [Volume Licensing Service Center](https://www.microsoft.com/en-us/licensing/default.aspx).

    See [Deploying the App-V Server](appv-deploying-the-appv-server.md) for more information about installing and using the server components.| | App-V client and App-V Remote Desktop Services (RDS) client | The App-V client is the component that runs virtualized applications on user devices, allowing users to interact with icons and file names to start virtualized applications. | The App-V client is automatically installed with Windows 10, version 1607.

    To learn how to enable the client, see [Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md). | | App-V sequencer | Use the App-V sequencer to convert Win32 applications into virtual packages for deployment to user devices. Devices must run the App-V client to allow users to interact with virtual applications. | Installed with the [Windows Assessment and Deployment kit (ADK) for Windows 10, version 1607](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). | diff --git a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md index 2da4a3b2f6..5a78399b06 100644 --- a/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md +++ b/windows/application-management/app-v/appv-install-the-management-server-on-a-standalone-computer.md @@ -16,7 +16,7 @@ To install the management server on a standalone computer and connect it to the 1. Copy the App-V server installation files to the computer on which you want to install it on. To start the App-V server installation, run **appv\_server\_setup.exe** as an administrator, then select **Install**. 2. On the **Getting Started** page, review and accept the license terms, then select **Next**. -3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Udpate, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. +3. On the **Use Microsoft Update to help keep your computer secure and up-to-date** page, to enable Microsoft Update, select **Use Microsoft Update when I check for updates (recommended)**. To disable Microsoft Update, select **I don’t want to use Microsoft Update**, then select **Next**. 4. On the **Feature Selection** page, select the **Management Server** checkbox, then select **Next**. 5. On the **Installation Location** page, accept the default location, then select **Next**. 6. On the **Configure Existing Management Database** page, select **Use a remote SQL Server**, then enter the computer running Microsoft SQL's machine name, such as ```SqlServerMachine```. diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md index 2a510d8f89..3292b74b3e 100644 --- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md +++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md @@ -6,172 +6,90 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help +>Applies to: Windows 10, version 1607 -# How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help +## Requirements for using Windows PowerShell cmdlets -**Applies to** -- Windows 10, version 1607 +This section will tell you what you'll need to use the PowerShell cmdlets. -What this topic covers: +### How to let users access PowerShell cmdlets -- [Requirements for using Windows PowerShell cmdlets](#bkmk-reqs-using-posh) +You can grant your users access to PowerShell cmdlets through one of the following methods: -- [Loading the Windows PowerShell cmdlets](#bkmk-load-cmdlets) +* While you're deploying and configuring the App-V server, specify an Active Directory group or individual user with permissions to manage the App-V environment. For more information, see [How to deploy the App-V Server](appv-deploy-the-appv-server.md). +* After you've deployed the App-V server, you can use the App-V Management console to add an additional Active Directory group or user. For more information, see [How to add or remove an administrator by using the Management console](appv-add-or-remove-an-administrator-with-the-management-console.md). -- [Getting help for the Windows PowerShell cmdlets](#bkmk-get-cmdlet-help) +### Elevated command prompt -- [Displaying the help for a Windows PowerShell cmdlet](#bkmk-display-help-cmdlet) +You'll need an elevated command prompt to run the following cmdlets: -## Requirements for using Windows PowerShell cmdlets +* **Add-AppvClientPackage** +* **Remove-AppvClientPackage** +* **Set-AppvClientConfiguration** +* **Add-AppvClientConnectionGroup** +* **Remove-AppvClientConnectionGroup** +* **Add-AppvPublishingServer** +* **Remove-AppvPublishingServer** +* **Send-AppvClientReport** +* **Set-AppvClientMode** +* **Set-AppvClientPackage** +* **Set-AppvPublishingServer** +### Other cmdlets -Review the following requirements for using the Windows PowerShell cmdlets: +The following cmdlets are ones that end-users can run unless you configure them to require an elevated command prompt. - ---- - - - - - - - - - - - - - - - - - - - - -
    RequirementDetails

    Users can run App-V Server cmdlets only if you grant them access by using one of the following methods:

      -

    • When you are deploying and configuring the App-V Server:

      -

      Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See [How to Deploy the App-V Server](appv-deploy-the-appv-server.md).

      • -

    • After you’ve deployed the App-V Server:

      -

      Use the App-V Management console to add an additional Active Directory group or user. See [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md).

      • -

    Cmdlets that require an elevated command prompt

      -

    • Add-AppvClientPackage

      • -

    • Remove-AppvClientPackage

      • -

    • Set-AppvClientConfiguration

      • -

    • Add-AppvClientConnectionGroup

      • -

    • Remove-AppvClientConnectionGroup

      • -

    • Add-AppvPublishingServer

      • -

    • Remove-AppvPublishingServer

      • -

    • Send-AppvClientReport

      • -

    • Set-AppvClientMode

      • -

    • Set-AppvClientPackage

      • -

    • Set-AppvPublishingServer

      • -

    Cmdlets that end users can run, unless you configure them to require an elevated command prompt

      -

    • Publish-AppvClientPackage

      • -

    • Unpublish-AppvClientPackage

      • -
    -

    To configure these cmdlets to require an elevated command prompt, use one of the following methods:

    -
      -

    • Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.

      -

      For more information, see:
      [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
      [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).

      • -

    • Enable the “Require publish as administrator” Group Policy setting for App-V Clients.

      -

      For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)

      • -
    -
    +* **Publish-AppvClientPackage** +* **Unpublish-AppvClientPackage** -  +To configure these cmdlets to require an elevated command prompt, use one of the following methods: -## Loading the Windows PowerShell cmdlets +* Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter. For more information, see the following resources: + * [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) + * [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending) +* Enable the **Require publish as administrator** Group Policy setting for App-V Clients. For more information, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md). +## Loading the Windows PowerShell cmdlets To load the Windows PowerShell cmdlet modules: -1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). +1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). +2. Enter one of the following cmdlets to load a list of usable cmdlets for the module you want: -2. Type one of the following commands to load the cmdlets for the module you want: +|App-v component|Cmdlet to enter| +|---|---| +|App-V Server|**Import-Module AppvServer**| +|App-V Sequencer|**Import-Module AppvSequencer**| +|App-V Client|**Import-Module AppvClient**| - ---- - - - - - - - - - - - - - - - - - - - - -
    App-V componentCommand to type

    App-V Server

    Import-Module AppvServer

    App-V Sequencer

    Import-Module AppvSequencer

    App-V Client

    Import-Module AppvClient

    - -  - -## Getting help for the Windows PowerShell cmdlets +## Getting help for the Windows PowerShell cmdlets Starting in App-V 5.0 SP3, cmdlet help is available in two formats: -- **As a downloadable module**: To download the latest help after downloading the cmdlet module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE), and type one of the following commands: +* As a downloadable module in PowerShell. To access the module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE) and enter one of the cmdlets from the following table. - ---- - - - - - - - - - - - - - - - - - - - - -
    App-V componentCommand to type

    App-V Server

    Update-Help -Module AppvServer

    App-V Sequencer

    Update-Help -Module AppvSequencer

    App-V Client

    Update-Help -Module AppvClient

    +|App-v component|Cmdlet to enter| +|---|---| +|App-V Server|**Update-Help -Module AppvServer**| +|App-V Sequencer|**Update-Help -Module AppvSequencer**| +|App-V Client|**Update-Help -Module AppvClient**| -
    - -- **On TechNet as web pages**: See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx). - -## Displaying the help for a Windows PowerShell cmdlet +* Online in the [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/powershell/mdop/get-started?view=win-mdop2-ps). +## Displaying the help for a Windows PowerShell cmdlet To display help for a specific Windows PowerShell cmdlet: -1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). - -2. Type **Get-Help** <*cmdlet*>, for example, **Get-Help Publish-AppvClientPackage**. - +1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE). +2. Enter **Get-Help** followed by the cmdlet you need help with. For example: + ```PowerShell + Get-Help Publish-AppvClientPackage + ``` ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 3db885c191..f98668cea5 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -6,45 +6,30 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - - # Maintaining App-V -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. ## Moving the App-V server -The App-V server connects to the App-V database. Therefore you can install the management component on any computer on the network and then connect it to the App-V database. +The App-V server connects to the App-V database, which means you can install the management component and connect it to the App-V database on any computer on the network. For more information, see [How to move the App-V server to another computer](appv-move-the-appv-server-to-another-computer.md). -[How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md) +## Determine if an App-V application is running virtualized -## Determine if an App-V Application is Running Virtualized +Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace (PID stands for process ID). To find the process ID of the process you're currently using, enter the Windows API **GetCurrentProcessId()**. +For example, let's say the process ID is 4052. If you can successfully open a named Event object called **AppVVirtual-4052** with the **OpenEvent()** API in the default read access namespace, then the application is virtual. If the **OpenEvent()** call fails, the application isn't virtual. -Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace. For example, Windows API **GetCurrentProcessId()** can be used to obtain the current process's ID, for example 4052, and then if a named Event object called **AppVVirtual-4052** can be successfully opened using **OpenEvent()** in the default namespace for read access, then the application is virtual. If the **OpenEvent()** call fails, the application is not virtual. - -Additionally, ISV’s who want to explicitly virtualize or not virtualize calls on specific API’s with App-V 5.1 and later, can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module. These provide a way of hinting at a downstream component that the call should or should not be virtualized. +Additionally, ISVs who want to explicitly virtualize or not virtualize calls on specific APIs with App-V 5.1 and later can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module to hint to a downstream component whether the call should be virtualized or not. ## Have a suggestion for App-V? - -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Other resources for maintaining App-V - -[Operations for App-V](appv-operations.md) - -  - -  - - - - - +* [Operations for App-V](appv-operations.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md index e3c9eca586..f4a20fb696 100644 --- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md @@ -1,283 +1,171 @@ --- -title: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell (Windows 10) -description: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell +title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10) +description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/24/2018 --- +# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell +>Applies to: Windows 10, version 1607 -# How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell +The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets. -**Applies to** -- Windows 10, version 1607 +## Return a list of packages +Enter the **Get-AppvClientPackage** cmdlet to return a list of packages entitled to a specific user. Its parameters are *-Name*, *-Version*, *-PackageID*, and *-VersionID*. -The following sections explain how to perform various management tasks on a stand-alone client computer by using Windows PowerShell: +For example: -- [To return a list of packages](#bkmk-return-pkgs-standalone-posh) +```PowerShell +Get-AppvClientPackage –Name "ContosoApplication" -Version 2 +``` -- [To add a package](#bkmk-add-pkgs-standalone-posh) +## Add a package -- [To publish a package](#bkmk-pub-pkg-standalone-posh) +Use the **Add-AppvClientPackage** cmdlet to add a package to a computer. -- [To publish a package to a specific user](#bkmk-pub-pkg-a-user-standalone-posh) +>[!IMPORTANT] +>This example only adds a package. It does not publish the package to the user or the computer. -- [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh) +For example: -- [To unpublish an existing package](#bkmk-unpub-pkg-standalone-posh) +```PowerShell +$Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv +``` -- [To unpublish a package for a specific user](#bkmk-unpub-pkg-specfc-use) +## Publish a package -- [To remove an existing package](#bkmk-remove-pkg-standalone-posh) +Use the **Publish-AppvClientPackage** cmdlet to publish a package that has been added to either a specific user or globally to any user on the computer. -- [To enable only administrators to publish or unpublish packages](#bkmk-admins-pub-pkgs) +Enter the cmdlet with the application name to publish it to the user. -- [Understanding pending packages (UserPending and GlobalPending)](#bkmk-understd-pend-pkgs) +```PowerShell +Publish-AppvClientPackage "ContosoApplication" +``` -## To return a list of packages +To publish the application globally, just add the *-Global* parameter. +```Powershell +Publish-AppvClientPackage "ContosoApplication" -Global +``` -Use the following information to return a list of packages that are entitled to a specific user: +## Publish a package to a specific user -**Cmdlet**: Get-AppvClientPackage +>[!NOTE]   +>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. -**Parameters**: -Name -Version -PackageID -VersionID - -**Example**: Get-AppvClientPackage –Name “ContosoApplication” -Version 2 - -## To add a package - - -Use the following information to add a package to a computer. - -**Important**   -This example only adds a package. It does not publish the package to the user or the computer. - -  - -**Cmdlet**: Add-AppvClientPackage - -**Example**: $Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv - -## To publish a package - - -Use the following information to publish a package that has been added to a specific user or globally to any user on the computer. - - ---- - - - - - - - - - - - - - - - - -
    Publishing methodCmdlet and example

    Publishing to the user

    Cmdlet: Publish-AppvClientPackage

    -

    Example: Publish-AppvClientPackage “ContosoApplication”

    Publishing globally

    Cmdlet: Publish-AppvClientPackage

    -

    Example: Publish-AppvClientPackage “ContosoApplication” -Global

    - -  - -## To publish a package to a specific user - - -**Note**   -You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - -  - -An administrator can publish a package to a specific user by specifying the optional **–UserSID** parameter with the **Publish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID). +An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID). To use this parameter: -- You can run this cmdlet from the user or administrator session. +- You can run this cmdlet from the user or administrator session. +- You must be logged in with administrative credentials to use the parameter. +- The end user must be signed in. +- You must provide the end user’s security identifier (SID). -- You must be logged in with administrative credentials to use the parameter. +For example: -- The end user must be logged in. +```PowerShell +Publish-AppvClientPackage "ContosoApplication" -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +``` -- You must provide the end user’s security identifier (SID). +## Add and publish a package -**Cmdlet**: Publish-AppvClientPackage +Use the **Add-AppvClientPackage** cmdlet to add a package to a computer and publish it to the user. -**Example**: Publish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +For example: -## To add and publish a package +```PowerShell +Add-AppvClientPackage | Publish-AppvClientPackage +``` +## Unpublish an existing package -Use the following information to add a package to a computer and publish it to the user. +Use the **Unpublish-AppvClientPackage** cmdlet to unpublish a package which has been entitled to a user but not remove the package from the computer. -**Cmdlet**: Add-AppvClientPackage +For example: -**Example**: Add-AppvClientPackage \\\\path\\to\\appv\\package.appv | Publish-AppvClientPackage +```PowerShell +Unpublish-AppvClientPackage "ContosoApplication" +``` -## To unpublish an existing package +## Unpublish a package for a specific user +>[!NOTE] +>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. -Use the following information to unpublish a package which has been entitled to a user but not remove the package from the computer. - -**Cmdlet**: Unpublish-AppvClientPackage - -**Example**: Unpublish-AppvClientPackage “ContosoApplication” - -## To unpublish a package for a specific user - - -**Note**   -You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter. - -  - -An administrator can unpublish a package for a specific user by using the optional **–UserSID** parameter with the **Unpublish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID). +An administrator can unpublish a package for a specific user by using the optional *-UserSID* parameter with the **Unpublish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID). To use this parameter: -- You can run this cmdlet from the user or administrator session. +- You can run this cmdlet from the user or administrator session. +- You must sign in with administrative credentials to use the parameter. +- The end user must be signed in. +- You must provide the end user’s security identifier (SID). -- You must be logged in with administrative credentials to use the parameter. +For example: -- The end user must be logged in. +```PowerShell +Unpublish-AppvClientPackage "ContosoApplication" -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +``` -- You must provide the end user’s security identifier (SID). +## Remove an existing package -**Cmdlet**: Unpublish-AppvClientPackage +Use the **Remove-AppvClientPackage** cmdlet to remove a package from the computer. -**Example**: Unpublish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345 +For example: -## To remove an existing package +```PowerShell +Remove-AppvClientPackage "ContosoApplication" +``` +>[!NOTE] +>App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/). -Use the following information to remove a package from the computer. +## Enable only administrators to publish or unpublish packages -**Cmdlet**: Remove-AppvClientPackage +Starting in App-V 5.0 SP3, you can use the **Set-AppvClientConfiguration** cmdlet and *-RequirePublishAsAdmin* parameter to enable only administrators (not end users) to publish or unpublish packages. -**Example**: Remove-AppvClientPackage “ContosoApplication” +You can set the *-RequirePublishAsAdmin* parameter to the following values: -**Note**   -App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/). +- 0: False +- 1: True -  +For example: -## To enable only administrators to publish or unpublish packages +```PowerShell +Set-AppvClientConfiguration –RequirePublishAsAdmin1 +``` -Starting in App-V 5.0 SP3, you can use the following cmdlet and parameter to enable only administrators (not end users) to publish or unpublish packages: +To use the App-V Management console to set this configuration, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md). - ---- - - - - - - - - - - -

    Cmdlet

    Set-AppvClientConfiguration

    Parameter

    -RequirePublishAsAdmin

    -

    Parameter values:

    -
      -

    • 0 - False

      • -

    • 1 - True

      • -
    -

    Example:: Set-AppvClientConfiguration –RequirePublishAsAdmin1

    +## About pending packages: UserPending and GlobalPending -  +Starting in App-V 5.0 SP2, if you run a Windows PowerShell cmdlet that affects a package currently in use, the task you're trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows: -To use the App-V Management console to set this configuration, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md). - -## Understanding pending packages (UserPending and GlobalPending) - - -**Starting in App-V 5.0 SP2**: If you run a Windows PowerShell cmdlet that affects a package that is currently in use, the task that you are trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows: - - ---- - - - - - - - - - - - - - - - - -
    Cmdlet output itemDescription

    UserPending

    Indicates whether the listed package has a pending task that is being applied to the user:

    -
      -

    • True

      • -

    • False

      • -

    GlobalPending

    Indicates whether the listed package has a pending task that is being applied globally to the computer:

    -
      -

    • True

      • -

    • False

      • -
    - -  +|Cmdlet output item|Description| +|---|---| +|UserPending|Indicates whether the listed package has a pending task that is being applied to the user:
    - True
    - False| +|GlobalPending|Indicates whether the listed package has a pending task that is being applied globally to the computer:
    - True
    - False| The pending task will run later, according to the following rules: - ---- - - - - - - - - - - - - - - - - -
    Task typeApplicable rule

    User-based task, e.g., publishing a package to a user

    The pending task will be performed after the user logs off and then logs back on.

    Globally based task, e.g., enabling a connection group globally

    The pending task will be performed when the computer is shut down and then restarted.

    +|Task type|Applicable rule| +|---|---| +|User-based
    (for example, publishing a package to a user)|The pending task will be performed after the user logs off and then logs back on.| +|Globally based
    (for example, enabling a connection group globally)|The pending task will be performed when the computer is shut down and then restarted.| For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) - +- [Operations for App-V](appv-operations.md) +- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md index a82855cb2a..42df49b2c7 100644 --- a/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md +++ b/windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md @@ -45,7 +45,7 @@ This topic explains the following procedures: 2. Enable the connection group by typing the following command: - Enable-AppvClientConnectionGroup –name “Financial Applications” + Enable-AppvClientConnectionGroup –name "Financial Applications" When any virtual applications that are in the member packages are run on the target computer, they will run inside the connection group’s virtual environment and will be available to all the virtual applications in the other packages in the connection group. @@ -81,11 +81,11 @@ This topic explains the following procedures:

    Enable-AppVClientConnectionGroup

    -

    Enable-AppVClientConnectionGroup “ConnectionGroupA” -UserSID S-1-2-34-56789012-3456789012-345678901-2345

    +

    Enable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345

    Disable-AppVClientConnectionGroup

    -

    Disable-AppVClientConnectionGroup “ConnectionGroupA” -UserSID S-1-2-34-56789012-3456789012-345678901-2345

    +

    Disable-AppVClientConnectionGroup "ConnectionGroupA" -UserSID S-1-2-34-56789012-3456789012-345678901-2345

    diff --git a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md index febf5efcda..894c51e025 100644 --- a/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md +++ b/windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md @@ -25,7 +25,7 @@ Use the following procedure to configure the App-V client configuration. `Set-AppVClientConfiguration $config` - `Set-AppVClientConfiguration –Name1 MyConfig –Name2 “xyz”` + `Set-AppVClientConfiguration –Name1 MyConfig –Name2 "xyz"` ## Have a suggestion for App-V? diff --git a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md index 32232234da..f83bdfa3f4 100644 --- a/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md +++ b/windows/application-management/app-v/appv-planning-for-high-availability-with-appv.md @@ -30,12 +30,12 @@ Review the following articles to learn more about configuring IIS and NLB for co * [Achieving High Availability and Scalability - ARR and NLB](https://www.iis.net/learn/extensions/configuring-application-request-routing-arr/achieving-high-availability-and-scalability-arr-and-nlb) describes how to configure IIS 7.0. -* [Network load balancing overview]() will tell you more about how to configure Microsoft Windows Server. +* [Network load balancing overview]() will tell you more about how to configure Microsoft Windows Server. This information also applies to IIS NLB clusters in Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012. >[!NOTE] ->The IIS NLB functionality in Windows Server 2012 is generally the same as in Windows Server 2008 R2. However, some task details have changed in Windows Server 2012. To learn how to work with these changes, see [Common management tasks and navigation in Windows](). +>The IIS NLB functionality in Windows Server 2012 is generally the same as in Windows Server 2008 R2. However, some task details have changed in Windows Server 2012. To learn how to work with these changes, see [Common management tasks and navigation in Windows](). ## Support for clustered file servers when running SCS mode @@ -54,8 +54,8 @@ The following steps can be used to validate the configuration: Review the following articles to learn more about configuring Windows Server failover clusters: -* [Create a failover cluster]() -* [Use cluster shared volumes in a failover cluster]() +* [Create a failover cluster]() +* [Use cluster shared volumes in a failover cluster]() ## Support for Microsoft SQL Server mirroring @@ -63,7 +63,7 @@ Using Microsoft SQL Server mirroring, where the App-V management server database Review the following to learn more about how to configure Microsoft SQL Server mirroring: -* [Prepare a mirror database for mirroring (SQL Server)](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server) +* [Prepare a mirror database for mirroring (SQL Server)](https://docs.microsoft.com/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server) * [Establish a database mirroring session using Windows Authentication (SQL Server Management Studio)](https://msdn.microsoft.com/library/ms188712.aspx) (FIX LINK) The following steps can be used to validate the configuration: @@ -88,13 +88,13 @@ Use the following steps to modify the connection string to include ```failover p Click any of the following links for more information: -* [Prepare a mirror database for mirroring (SQL Server)](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server). -* [Establish a database mirroring session using Windows Authentication (SQL Server Management Studio)](https://docs.microsoft.com/en-us/sql/database-engine/database-mirroring/establish-database-mirroring-session-windows-authentication). +* [Prepare a mirror database for mirroring (SQL Server)](https://docs.microsoft.com/sql/database-engine/database-mirroring/prepare-a-mirror-database-for-mirroring-sql-server). +* [Establish a database mirroring session using Windows Authentication (SQL Server Management Studio)](https://docs.microsoft.com/sql/database-engine/database-mirroring/establish-database-mirroring-session-windows-authentication). * [Deprecated database engine features in SQL Server 2012](). ## Support for Microsoft SQL Server Always On configuration -The App-V management server database supports deployments to computers running Microsoft SQL Server with the **Always On** configuration. For more information, see [Always On Availability Groups (SQL Server)](https://docs.microsoft.com/en-us/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server). +The App-V management server database supports deployments to computers running Microsoft SQL Server with the **Always On** configuration. For more information, see [Always On Availability Groups (SQL Server)](https://docs.microsoft.com/sql/database-engine/availability-groups/windows/always-on-availability-groups-sql-server). ## Have a suggestion for App-V? diff --git a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md index 378e61401d..285bffe2fc 100644 --- a/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md +++ b/windows/application-management/app-v/appv-planning-for-using-appv-with-office.md @@ -23,7 +23,7 @@ You can use the App-V Sequencer to create plug-in packages for language packs, l ## Supported versions of Microsoft Office -For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/en-us/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click). +For a list of supported Office products, see [Microsoft Office Product IDs that App-V supports](https://support.microsoft.com/help/2842297/product-ids-that-are-supported-by-the-office-deployment-tool-for-click). >[!NOTE] >You must use the Office Deployment Tool instead of the App-V Sequencer to create App-V packages for Office 365 ProPlus. App-V does not support package creation for volume-licensed versions of Office Professional Plus or Office Standard. Support for the [Office 2013 version of Office 365 ended in Februrary 2017](https://support.microsoft.com/kb/3199744). diff --git a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md index ee75ec9087..857549b340 100644 --- a/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md +++ b/windows/application-management/app-v/appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md @@ -12,7 +12,7 @@ ms.date: 04/18/2018 >Applies to: Windows 10, version 1607 -If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with System Center Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682125.aspx#BKMK_Appv). +If you are using an electronic software distribution (ESD) system to deploy App-V packages, review the following planning considerations. For information about deploying App-V with System Center Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/library/gg682125.aspx#BKMK_Appv). Review the following component and architecture requirements options that apply when you use an ESD to deploy App-V packages: diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md index 739de9f0a3..cebbaac7ad 100644 --- a/windows/application-management/app-v/appv-publish-a-connection-group.md +++ b/windows/application-management/app-v/appv-publish-a-connection-group.md @@ -6,29 +6,25 @@ ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- - - # How to Publish a Connection Group -**Applies to** -- Windows 10, version 1607 +>Applies to: Windows 10, version 1607 After you create a connection group, you must publish it to computers that run the App-V client. -**To publish a connection group** +## Publish a connection group -1. Open the App-V Management Console, and select **CONNECTION GROUPS**. +1. Open the App-V Management Console and select **CONNECTION GROUPS**. -2. Right-click the connection group to be published, and select **publish**. +2. Right-click the connection group to be published, and select **publish**. ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[Managing Connection Groups](appv-managing-connection-groups.md) +* [Operations for App-V](appv-operations.md) +* [Managing connection groups](appv-managing-connection-groups.md) diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index fb9ad9b19f..8451509577 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,51 +1,45 @@ --- -title: How to Publish a Package by Using the Management Console (Windows 10) -description: How to Publish a Package by Using the Management Console +title: How to publish a package by using the Management console (Windows 10) +description: How to publish a package by using the Management console. author: MaggiePucciEvans ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 -ms.date: 04/19/2017 +ms.date: 09/27/2018 --- +# How to publish a package by using the Management console +>Applies to: Windows 10, version 1607 -# How to Publish a Package by Using the Management Console +Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package. -**Applies to** -- Windows 10, version 1607 +>[!NOTE]   +>The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3. -Use the following procedure to publish an App-V package. Once you publish a package, computers that are running the App-V client can access and run the applications in that package. +## Publish an App-V package -**Note**   -The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3. +1. In the App-V Management console. Select or right-click the name of the package to be published. Select **Publish**. -  - -**To publish an App-V package** - -1. In the App-V Management console. Click or right-click the name of the package to be published. Select **Publish**. - -2. Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed. +2. Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed. If the package is not published successfully, the status **unpublished** is displayed, along with error text that explains why the package is not available. -**To enable only administrators to publish or unpublish packages** +## Enable only administrators to publish or unpublish packages -1. Navigate to the following Group Policy Object node: +1. Navigate to the following Group Policy Object node: - **Computer Configuration > Administrative Templates > System > App-V > Publishing**. + **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**. -2. Enable the **Require publish as administrator** Group Policy setting. +2. Enable the **Require publish as administrator** Group Policy setting. - To instead use Windows PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs). + To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending). ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
    For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). ## Related topics -[Operations for App-V](appv-operations.md) - -[How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md) +* [Operations for App-V](appv-operations.md) +* [How to configure access to packages by using the Management console](appv-configure-access-to-packages-with-the-management-console.md) \ No newline at end of file diff --git a/windows/application-management/app-v/appv-reporting.md b/windows/application-management/app-v/appv-reporting.md index 32ae6b094c..d72bc2f199 100644 --- a/windows/application-management/app-v/appv-reporting.md +++ b/windows/application-management/app-v/appv-reporting.md @@ -190,7 +190,7 @@ You can also use the **Send-AppVClientReport** cmdlet to manually collect data. To retrieve report information and create reports using App-V you must use one of the following methods: -* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](https://docs.microsoft.com/en-us/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article. +* Microsoft SQL Server Reporting Services (SSRS)—Microsoft SSRS is available with Microsoft SQL Server. SSRS is not installed when you install the App-V reporting server. It must be deployed separately to generate the associated reports. For more information, see the [What is SQL Server Reporting Services (SSRS)?](https://docs.microsoft.com/sql/reporting-services/create-deploy-and-manage-mobile-and-paginated-reports) article. * Scripting—You can generate reports by scripting directly against the App-V reporting database. For example: @@ -198,7 +198,7 @@ To retrieve report information and create reports using App-V you must use one o **spProcessClientReport** is scheduled to run at midnight or 12:00 AM. - To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. Make sure the Microsoft SQL Server Agent is set to **AutoStart**. For more information, see [Autostart SQL Server Agent (SQL Server Management Studio)](https://docs.microsoft.com/en-us/sql/ssms/agent/autostart-sql-server-agent-sql-server-management-studio). + To run the Microsoft SQL Server Scheduled Stored procedure, the Microsoft SQL Server Agent must be running. Make sure the Microsoft SQL Server Agent is set to **AutoStart**. For more information, see [Autostart SQL Server Agent (SQL Server Management Studio)](https://docs.microsoft.com/sql/ssms/agent/autostart-sql-server-agent-sql-server-management-studio). The stored procedure is also created when you use the App-V database scripts. diff --git a/windows/application-management/app-v/appv-security-considerations.md b/windows/application-management/app-v/appv-security-considerations.md index c5286a0658..e29423c9c8 100644 --- a/windows/application-management/app-v/appv-security-considerations.md +++ b/windows/application-management/app-v/appv-security-considerations.md @@ -27,9 +27,9 @@ Effective as of June, 2014, the PackageStoreAccessControl (PSAC) feature introdu **Physically secure your computers**. A security strategy that doesn't consider physical security is incomplete. Anyone with physical access to an App-V server could potentially attack the entire client base, so potential physical attacks or thefts should be prevented at all cost. App-V servers should be stored in a physically secure server room with controlled access. Lock the computer with the operating system or a secured screen saver to keep computers secure when the administrators are away. -**Apply the most recent security updates to all computers**. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V, see the [Microsoft Security TechCenter](https://technet.microsoft.com/en-us/security/bb291012). (THIS LINK NEEDS TO BE UPDATED) +**Apply the most recent security updates to all computers**. To stay informed about the latest updates for operating systems, Microsoft SQL Server, and App-V, see the [Microsoft Security TechCenter](https://technet.microsoft.com/security/bb291012). (THIS LINK NEEDS TO BE UPDATED) -**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](https://docs.microsoft.com/en-us/sql/relational-databases/security/password-policy) and [Strong Passwords](https://docs.microsoft.com/en-us/sql/relational-databases/security/strong-passwords). (THIS LINK NEEDS TO BE UPDATED) +**Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all App-V and App-V administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](https://docs.microsoft.com/sql/relational-databases/security/password-policy) and [Strong Passwords](https://docs.microsoft.com/sql/relational-databases/security/strong-passwords). (THIS LINK NEEDS TO BE UPDATED) ## Accounts and groups in App-V diff --git a/windows/application-management/app-v/appv-technical-reference.md b/windows/application-management/app-v/appv-technical-reference.md index 81b431ddac..d8f814afcd 100644 --- a/windows/application-management/app-v/appv-technical-reference.md +++ b/windows/application-management/app-v/appv-technical-reference.md @@ -47,4 +47,4 @@ Add or vote on suggestions on the [Application Virtualization feedback site](htt [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md) -[Windows PowerShell reference for App-V](https://technet.microsoft.com/en-us/library/dn903534.aspx) +[Windows PowerShell reference for App-V](https://technet.microsoft.com/library/dn903534.aspx) diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index af6faf50b6..afa48aee66 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -8,146 +8,163 @@ ms.pagetype: mobile ms.author: elizapo author: lizap ms.localizationpriority: medium -ms.date: 08/23/2018 +ms.date: 12/12/2018 --- # Understand the different apps included in Windows 10 +>Applies to: Windows 10 + The following types of apps run on Windows 10: - Windows apps - introduced in Windows 8, primarily installed from the Store app. - Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps. -- "Win32" apps - traditional Windows applications, built for 32-bit systems. +- "Win32" apps - traditional Windows applications. Digging into the Windows apps, there are two categories: -- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS. -- Apps - All other apps, installed in c:\Program Files\WindowsApps. There are two classes of apps: +- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps: - Provisioned: Installed in user account the first time you sign in with a new user account. - Installed: Installed as part of the OS. +- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS. The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1607, 1703, and 1709, and indicate whether an app can be uninstalled through the UI. Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running. + +## Provisioned Windows apps + +Here are the provisioned Windows apps in Windows 10 versions 1703, 1709, 1803 and 1809. + > [!TIP] -> Want to see a list of the apps installed on your specific image? You can run the following PowerShell cmdlet: -> ```powershell -> Get-AppxPackage | select Name,PackageFamilyName -> Get-AppxProvisionedPackage -Online | select DisplayName,PackageName +> You can list all provisioned Windows apps with this PowerShell command: > ``` +> Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName +> ``` + +
    + +| Package name | App name | 1703 | 1709 | 1803 | 1809 | Uninstall through UI? | +|----------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [My Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | +| Microsoft.OneConnect | [Paid Wi-Fi & Cellular](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.SkreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | | | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | x | No | +| Microsoft.XboxApp | [Xbox](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Gaming Overlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | | | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | + + +>[!NOTE] +>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. ## System apps System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803. -| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | -|------------------|--------------------------------------------|:----:|:----:|:----:|:----------------------------------:| -| Cortana UI | CortanaListenUIApp | x | | |No | -| | Desktop Learning | x | | |No | -| | DesktopView | x | | |No | -| | EnvironmentsApp | x | | |No | -| Mixed Reality + | HoloCamera | x | | |No | -| Mixed Reality + | HoloItemPlayerApp | x | | |No | -| Mixed Reality + | HoloShell | x | | |No | -| | InputApp | | x | x |No | -| | Microsoft.AAD.BrokerPlugin | x | x | x |No | -| | Microsoft.AccountsControl | x | x | x |No | -| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No | -| | Microsoft.CredDialogHost | x | x | x |No | -| | Microsoft.ECApp | | x | x |No | -| | Microsoft.LockApp | x | x | x |No | -| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x |No | -| | Microsoft.PPIProjection | x | x | x |No | -| | Microsoft.Windows.Apprep.ChxApp | x | x | x |No | -| | Microsoft.Windows.AssignedAccessLockApp | x | x | x |No | -| | Microsoft.Windows.CloudExperienceHost | x | x | x |No | -| | Microsoft.Windows.ContentDeliveryManager | x | x | x |No | -| Cortana | Microsoft.Windows.Cortana | x | x | x |No | -| | Microsoft.Windows.Holographic.FirstRun | x | x | x |No | -| | Microsoft.Windows.ModalSharePickerHost | x | | |No | -| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x |No | -| | Microsoft.Windows.OOBENetworkConnectionFlow| x | x | x |No | -| | Microsoft.Windows.ParentalControls | x | x | x |No | -| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x |No | -| | Microsoft.Windows.PinningConfirmationDialog| | x | x |No | -| | Microsoft.Windows.SecHealthUI | x | x | x |No | -| | Microsoft.Windows.SecondaryTileExperience | x | x | |No | -| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x |No | -| Start | Microsoft.Windows.ShellExperienceHost | x | x | x |No | -| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No | -| | Microsoft.XboxGameCallableUI | x | x | x |No | -| Contact Support\* | Windows.ContactSupport | x | * | |via Optional Features app | -| Settings | Windows.ImmersiveControlPanel | x | x | |No | -| Connect | Windows.MiracastView | x | | |No | -| Print 3D | Windows.Print3D | | x | |Yes | -| Print UI | Windows.PrintDialog | x | x | x |No | -| Purchase UI | Windows.PurchaseDialog | | | x |No | -| | Microsoft.AsyncTextService | | | x |No | -| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No | -| | Microsoft.Win32WebViewHost | | | x |No | -| | Microsoft.Windows.CapturePicker | | | x |No | -| | Windows.CBSPreview | | | x |No | -|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No | -|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No | -|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No | -|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No | +> [!TIP] +> You can list all system apps with this PowerShell command: +> ``` +> Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation +> ``` ->[!NOTE] ->\* The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). - -## Provisioned Windows apps - -Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. - -| App Name (Canonical) | Display Name | 1703 | 1709 | 1803 | Uninstall via UI? | -|--------------------------------|------------------------|:-----:|:----:|:----:|:-----------------:| -| 3D Builder | [Microsoft.3DBuilder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | Yes | -| App Installer | [Microsoft.DesktopAppInstaller](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | Via Settings App | -| Feedback Hub | [Microsoft.WindowsFeedbackHub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | Yes | -| Get Help | [Microsoft.GetHelp](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | No | -| Get Office | [Microsoft.MicrosoftOfficeHub](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | Yes | -| Groove Music | [Microsoft.ZuneMusic](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | No | -| Mail and Calendar | [Microsoft.windowscommunicationsapps](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | No | -| Microsoft Messaging | [Microsoft.Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | No | -| Microsoft People | [Microsoft.People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | No | -| Microsoft Photos | [Microsoft.Windows.Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | No | -| Microsoft Solitaire Collection | [Microsoft.MicrosoftSolitaireCollection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | Yes | -| Microsoft Sticky Notes | [Microsoft.MicrosoftStickyNotes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | No | -| Microsoft Tips | [Microsoft.Getstarted](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | Yes | -| Mixed Reality Viewer | [Microsoft.Microsoft3DViewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | No | -| Movies & TV | [Microsoft.ZuneVideo](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | No | -| MSN Weather (BingWeather | [Microsoft.BingWeather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | Yes | -| One Note | [Microsoft.Office.OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | Yes | -| Paid Wi-Fi & Cellular | [Microsoft.OneConnect](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | Yes | -| Paint 3D | [Microsoft.MSPaint](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | No | -| Print 3D | [Microsoft.Print3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | No | -| Skype | [Microsoft.SkypeApp](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | Yes | -| Store Purchase App\* | App not available in store | x | x | x | No | -| Wallet | App not available in store | x | x | x | No | -| Web Media Extensions | [Microsoft.WebMediaExtensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | No | -| Windows Alarms & Clock | [Microsoft.WindowsAlarms](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | No | -| Windows Calculator | [Microsoft.WindowsCalculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | No | -| Windows Camera | [Microsoft.WindowsCamera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | No | -| Windows Maps | [Microsoft.WindowsMaps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | No | -| Windows Store | [Microsoft.WindowsStore](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | No | -| Windows Voice Recorder | [Microsoft.SoundRecorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | No | -| Xbox | [Microsoft.XboxApp](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | No | -| Xbox Game Bar | [Microsoft.XboxGameOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | No | -| Xbox Gaming Overlay | [Microsoft.XboxGamingOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | No | -| Xbox Identity Provider | [Microsoft.XboxIdentityProvider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | No | -| Xbox Speech to Text Overlay | App not available in store | x | x | x | No | -| Xbox TCUI | [Microsoft.Xbox.TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | No | - ->[!NOTE] ->\* The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. +
    +| Name | Package Name | 1703 | 1709 | 1803 | Uninstall through UI? | +|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------| +| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x | No | +| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x | No | +| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x | No | +| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | | x | No | +| | InputApp | | x | x | No | +| Cortana UI | CortanaListenUIApp | x | | | No | +| | Desktop Learning | x | | | No | +| | DesktopView | x | | | No | +| | EnvironmentsApp | x | | | No | +| Mixed Reality + | HoloCamera | x | | | No | +| Mixed Reality + | HoloItemPlayerApp | x | | | No | +| Mixed Reality + | HoloShell | x | | | No | +| | Microsoft.AAD.Broker.Plugin | x | x | x | No | +| | Microsoft.AccountsControl | x | x | x | No | +| | Microsoft.AsyncTextService | | | x | No | +| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No | +| | Microsoft.CredDialogHost | x | x | x | No | +| | Microsoft.ECApp | | x | x | No | +| | Microsoft.LockApp | x | x | x | No | +| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No | +| | Microsoft.MicrosoftEdgeDevToolsClient | | | x | No | +| | Microsoft.PPIProjection | x | x | | No | +| | Microsoft.Win32WebViewHost | | | x | No | +| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No | +| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No | +| | Microsoft.Windows.CapturePicker | | | x | No | +| | Microsoft.Windows.CloudExperienceHost | x | x | x | No | +| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No | +| Cortana | Microsoft.Windows.Cortana | x | x | x | No | +| | Microsoft.Windows.Holographic.FirstRun | x | x | | No | +| | Microsoft.Windows.ModalSharePickerHost | x | | | No | +| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No | +| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No | +| | Microsoft.Windows.ParentalControls | x | x | x | No | +| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x | No | +| | Microsoft.Windows.PinningConfirmationDialog | | x | x | No | +| | Microsoft.Windows.SecHealthUI | x | x | x | No | +| | Microsoft.Windows.SecondaryTileExperience | x | x | | No | +| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No | +| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No | +| Windows Feedback | Microsoft.WindowsFeedback | * | * | | No | +| | Microsoft.XboxGameCallableUI | x | x | x | No | +| | Windows.CBSPreview | | | x | No | +| Contact Support* | Windows.ContactSupport | x | * | | Via Settings App | +| Settings | Windows.immersivecontrolpanel | x | x | x | No | +| Connect | Windows.MiracastView | x | | | No | +| Print 3D | Windows.Print3D | | x | | Yes | +| Print UI | Windows.PrintDialog | x | x | x | No | +| Purchase UI | Windows.PurchaseDialog | | | | No | +> [!NOTE] +> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support). ## Installed Windows apps Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803. -| Name | DisplayName | 1703 | 1709 | 1803 |Uninstall through UI? | -|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:| +| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? | +|--------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:| | Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes | | PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes | | Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | x | Yes | @@ -176,55 +193,4 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a | | Microsoft.VCLibs.120.00.Universal | | x | | Yes | | | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes | | | Microsoft.WinJS.2.0 | x | | | Yes | - -## Provisioned Windows apps - -Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803. - -| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? | -|---------------------------------|----------------------------------------|:------:|:------:|:------:|---------------------------| -| 3D Builder | Microsoft.3DBuilder | x | | | Yes | -| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No | -| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App | -| Calculator | Microsoft.WindowsCalculator | x | x | x | No | -| Camera | Microsoft.WindowsCamera | x | x | x | No | -| Feedback Hub | Microsoft.WindowsFeedbackHub | x | x | x | Yes | -| Get Help | Microsoft.GetHelp | | x | x | No | -| Get Office/My Office | Microsoft.Microsoft OfficeHub | x | x | x | Yes | -| Get Skype/Skype (preview)/Skype | Microsoft.SkypeApp | x | x | x | Yes | -| Get Started/Tips | Microsoft.Getstarted | x | x | x | Yes | -| Groove | Microsoft.ZuneMusic | x | x | x | No | -| Mail and Calendar | Microsoft.windows communicationsapps | x | x | x | No | -| Maps | Microsoft.WindowsMaps | x | x | x | No | -| Messaging | Microsoft.Messaging | x | x | x | No | -| Microsoft 3D Viewer | Microsoft.Microsoft3DViewer | x | x | x | No | -| Movies & TV | Microsoft.ZuneVideo | x | x | x | No | -| OneNote | Microsoft.Office.OneNote | x | x | x | Yes | -| Paid Wi-FI | Microsoft.OneConnect | x | x | x | Yes | -| Paint 3D | Microsoft.MSPaint | x | x | x | No | -| People | Microsoft.People | x | x | x | No | -| Photos | Microsoft.Windows.Photos | x | x | x | No | -| Print 3D | Microsoft.Print3D | | x | x | No | -| Solitaire | Microsoft.Microsoft SolitaireCollection| x | x | x | Yes | -| Sticky Notes | Microsoft.MicrosoftStickyNotes | x | x | x | No | -| Store | Microsoft.WindowsStore | x | x | x | No | -| Sway | Microsoft.Office.Sway | * | x | x | Yes | -| Voice Recorder | Microsoft.SoundRecorder | x | x | x | No | -| Wallet | Microsoft.Wallet | x | x | x | No | -| Weather | Microsoft.BingWeather | x | x | x | Yes | -| Xbox | Microsoft.XboxApp | x | x | x | No | -| | Microsoft.OneConnect | x | x | x | No | -| | Microsoft.DesktopAppInstaller | | | x | No | -| | Microsoft.StorePurchaseApp | x | x | x | No | -| | Microsoft.WebMediaExtensions | | | x | No | -| | Microsoft.Xbox.TCUI | | x | x | No | -| | Microsoft.XboxGameOverlay | x | x | x | No | -| | Microsoft.XboxGamingOverlay | | | x | No | -| | Microsoft.XboxIdentityProvider | x | x | x | No | -| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No | - ->[!NOTE] ->The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. - - ---- +--- \ No newline at end of file diff --git a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md index b916d7fe60..13e16012bd 100644 --- a/windows/application-management/deploy-app-upgrades-windows-10-mobile.md +++ b/windows/application-management/deploy-app-upgrades-windows-10-mobile.md @@ -55,4 +55,4 @@ You don't need to delete the deployment associated with the older version of the ![Monitoring view in Configuration Manager for the old version of the app](media/app-upgrade-old-version.png) -If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app. \ No newline at end of file +If you haven't deployed an app through Configuration Manager before, check out [Deploy applications with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/deploy-applications). You can also see how to delete deployments (although you don't have to) and notify users about the upgraded app. \ No newline at end of file diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md index f36c6be04b..20b71d39e8 100644 --- a/windows/application-management/manage-windows-mixed-reality.md +++ b/windows/application-management/manage-windows-mixed-reality.md @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 05/16/2018 +ms.date: 10/02/2018 --- # Enable or block Windows Mixed Reality apps in the enterprise @@ -34,8 +34,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. - a. Download [the FOD .cab file for Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) or [the FOD .cab file for Windows 10, version 1709] - (http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). + a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). >[!NOTE] >You must download the FOD .cab file that matches your operating system version. diff --git a/windows/application-management/msix-app-packaging-tool-walkthrough.md b/windows/application-management/msix-app-packaging-tool-walkthrough.md deleted file mode 100644 index b85a15753e..0000000000 --- a/windows/application-management/msix-app-packaging-tool-walkthrough.md +++ /dev/null @@ -1,160 +0,0 @@ ---- -title: Learn how to repackage your existing win32 applications to the MSIX format. This walkthrough provides in-depth detail on how the MSIX app packaging tool can be used. -description: Learn how to use the MSIX packaging tool with this in-depth walkthrough. -keywords: ["MSIX", "application", "app", "win32", "packaging tool"] -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.localizationpriority: medium -ms.author: mikeblodge -ms.topic: article -ms.date: 08/027/2018 ---- - -# MSIX Packaging tool walkthrough - -Learn how to repackage your legacy win32 application installers to MSIX, without the need for making code changes to your apps. The MSIX Packaging Tool allows you to modernize your app to take adavantage of Microsoft Store or Microsoft Store for Business to deploy apps on Windows 10 in S mode. - -## Terminology - - -|Term |Definition | -|---------|---------| -|MPT | MSIX Packaging Tool. An enterprise grade tool that allows to package apps in the enterprise easily as MSIX without app code changes. | -|PSF | Package Support Framework. An open source framework to allow the packaging tool and the IT Admin to apply targeted fixes to the app in order to bypass some of the modern environment constrains. Some fixes will be added automatically by the tool and some will be added manually. | -|Modification Package | MSIX package to stores app preferences/settings and add-ins, decoupled from the main package. | -|Installer | Application installer can be an MSI, EXE, App-V , ClickOnce. | -|Project template file | Template file that saves the settings and parameters used for a certain package conversion. Information captured in the template includes general Tooling packaging options, settings in the options menus like exclusion lists, package deployment settings, application install location, package manifest information like Package Family Name, publisher, version and package properties like capabilities and advanced enterprise features. | - -## Creating an Application package - -![Create a package](images/welcomescreen.png) - -When the tool is first launched, you will be prompted to provide consent to sending telemtry data. It's important to note that the diagnostic data you share only comes from the app and is never used to identify or contact you. This just helps us fix things faster for you. - -![creating an application package](images/Selectinstaller.png) - -Creating an Application package is the most commonly used option. This is where you will create an MSIX package from an installer, or by manual installation of application payload. -- If an installer is being used, browse to and select the desired application installer and click **Next**. - - This field accepts a valid existing file path. - - The field can be empty if you are manually packaging. -- If there is no installer (manual packaging) click **Next**. - -*Optionally* -- Check the box under "Use Existing MSIX Package", browse, and select an existing MSIX package you'd like to update. -- Check the box under "Use installer Preferences" and enter the desired argument in the provided field. This field accepts any string. - -### Packaging method -![selecting the package environment](images/selectenvironmentthiscomputer.png) -- Select the packaging environment by selecting one of the radio buttons: - - "Create package on an existing virtual machine" if you plan to do the package creation on a VM. Click **Next**. (You will be presented with user and password fields to provide credentials for the VM if there are any). - - "Create package on this computer" if you plan to package the application on the current machine where the tool is installed. Click **Next**. - -### Create package on this computer - -![Create a package on this computer](images/packageinfo.png) - -You've selected to package your application on the current machine where the tool is installed. Nice job! Provide the information pertaining to the app. The tool will try to auto-fill these fields based on the information available from the installer. You will always have a choice to update the entries as needed. If the field as an asterisk*, it's required, but you already knew that. Inline help is provided if the entry is not valid. - -- Package name: - - Required and corresponds to package identity Name in the manifest to describe the contents of the package. - - Must match the Name subject information of the certificate used to sign a package. - - Is not shown to the end user. - - Is case-sensitive and cannot have a space. - - Can accept string between 3 and 50 characters in length that consists of alpha-numeric, period, and dash characters. - - Cannot end with a period and be one of these: "CON", "PRN", "AUX", "NUL", "COM1", "COM2", "COM3", "COM4", "COM5", "COM6", "COM7", "COM8", "COM9", "LPT1", "LPT2", "LPT3", "LPT4", "LPT5", "LPT6", "LPT7", "LPT8", and "LPT9." -- Package display name: - - Required and corresponds to package in the manifest to display a friendly package name to the user, in start menu and settings pages. - - Field accepts A string between 1 and 256 characters in length and is localizable. -- Publisher name - - Required and corresponds to package that describes the publisher information. - - The Publisher attribute must match the publisher subject information of the certificate used to sign a package. - - This field accepts a string between 1 and 8192 characters in length that fits the regular expression of a distinguished name : "(CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")(, ((CN | L | O | OU | E | C | S | STREET | T | G | I | SN | DC | SERIALNUMBER | Description | PostalCode | POBox | Phone | X21Address | dnQualifier | (OID.(0 | [1-9][0-9])(.(0 | [1-9][0-9]))+))=(([^,+="<>#;])+ | ".")))*". -- Publisher display name - - Reuqired and corresponds to package in the manifest to display a friendly publisher name to the user, in App installer and settings pages. - - Field accepts A string between 1 and 256 characters in length and is localizable. -- Version - - Required and corresponds to package in the manifest to describe the The version number of the package. - - This field accepts a version string in quad notation, "Major.Minor.Build.Revision". -- Install location - - This is the location that the installer is going to copy the application payload to (usually Programs Files folder). - - This field is optional but recommended. - - Browse to and select a folder path. - - Make sure this filed matches Installers Install location while you go through the application install operation. - -### Prepare computer - -![prepare your computer](images/preparecomputer.png) - -- You are provided with options to prepare the computer for packaging. -- MSIX Packaging Tool Driver is required and the tool will automatically try to enable it if it is not enabled. - > [!NOTE] - > MSIX Packaging tool driver monitors the system to capture the changes that an installer is making on the system which allows MSIX Packaging Tool to create a package based on those changes. - - The tool will first check with DISM to see if the driver is installed. -- [Optional] Check the box for “Windows Search is Active” and select “disable selected” if you choose to disable the search service. - - This is not required, only recommended. - - Once disabled, the tool will update the status field to “disabled” -- [Optional] Check the box for “Windows Update is Active” and select “disable selected” if you choose to disable the Update service. - - This is not required, only recommended. - - Once disabled, the tool will update the status field to “disabled” -- “Pending reboot” checkbox is disabled by default. You'll need to manually restart the machine and then launch the tool again if you are prompted that pending operations need a reboot. - - This not required, only recommended. -When you're done preparing the machine, click **Next**. - -### Installation - -![Installation phase for capturing the install operations](images/installation.png) - -- This is installation phase where the tool is monitoring and capturing the application install operations. -- If you've provided an installer, the tool will launch the installer and you'll need to go through the installer wizard to install the application. - - Make sure the installation path matches what was defined earlier in the package information page. - - You'll need to create a shortcut in desktop for the newly installed application. - - Once you're done with the application installation wizard, make sure you finish or close on the installation wizard. - - If you need to run multiple installers you can do that manually at this point. - - If the app needs other pre-reqs, you need to install them now. - - If the application needs .Net 3.5/20, add the optional feature to Windows. -- If installer was not provided, manually copy the application binaries to the install location that you've defined earlier in package information. -- When you've completed installing the application, click **Next**. - -### Manage first launch tasks - -![Managing first launch tasks](images/managefirstlaunchtasks.png) - -- This page shows application executables that the tool captured. -- We recommended launching the application at least once to capture any first launch tasks. -- If there are multiple applications, check the box that corresponds to the main entry point. -- If you don't see the application .exe here, manually browse to and run it. -- Click **Next** - -![pop up asking for confirmation you are done monitoring](images/donemonitoring..png) - -You'll be prompted with a pop up asking for confirmation that you're finished with application installation and managing first launch tasks. -- If you're done, click **Yes, move on**. -- If you're not done, click **No, I'm not done**. You'll be taken back to the last page to where you can launch applications, install or copy other files, and dlls/executables. - -### Package support report - -![Package support, runtime fixes that might be appliciable to the app](images/packagesupport.png) - -- Here you'll have a chance to add PSF runtime fixes that might be applicable to the application. *(not supported in preview)* - - The tool will make some suggestions and apply fixes that it thinks are applicable. - - You'll have the opportunity to add, remove or edit PSF runtime fixes - - You can see a list of PSFs provided by the community from Github. - - You'll also see a packaging report on this page. The report will call out noteworthy items for example: - - If certain restricted capabilities like allowElevation is added - - If certain files were excluded from the package. - - Etc -Once done, click **Next**. - -## Create package - -![Creating the new package](images/createpackage.png) - -- Provide a location to save the MSIX package. -- By default, packages are saved in local app data folder. -- You can define the default save location in Settings menu. -- If you'd like to continue to edit the content and properties of the package before saving the MSIX package, you can select “Package editor” and be taken to package editor. -- If you prefer to sign the package with a pre-made certificate for testing, browse to and select the certificate. -- Click **Create** to create the MSIX package. - -You'll be presented with the pop up when the package is created. This pop up will include the name, publisher, and save location of the newly created package. You can close this pop up and get redirected to the welcome page. You can also select package editor to see and modify the package content and properties. diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md index 9fbf85d99b..c92489e73a 100644 --- a/windows/application-management/msix-app-packaging-tool.md +++ b/windows/application-management/msix-app-packaging-tool.md @@ -8,240 +8,30 @@ ms.sitesec: library ms.localizationpriority: medium ms.author: mikeblodge ms.topic: article -ms.date: 08/01/2018 +ms.date: 12/03/2018 --- # Repackage existing win32 applications to the MSIX format -The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store (coming soon). +MSIX is a packaging format built to be safe, secure and reliable, based on a combination of .msi, .appx, App-V and ClickOnce installation technologies. You can [use the MSIX packaging tool](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) to repackage your existing Win32 applications to the MSIX format. -> Prerequisites: - -- Participation in the Windows Insider Program -- Minimum Windows 10 build 17701 -- Admin privileges on your PC account -- A valid MSA alias (to access the app from the Store) - -## What's new -v1.2018.821.0 -- Command Line Support -- Ability to use existing local virtual machines for packaging environment. -- Ability to cross check publisher information in the manifest with a signing certificate to avoid signing issues. -- Minor updates to the UI for added clarity. - -v1.2018.807.0 -- Ability to add/edit/remove file and registry exclusion items is now supported in Settings menu. -- Fixed an issue where signing with password protected certificates would fail in the tool. -- Fixed an issue where the tool was crashing when editing an existing MSIX package. -- Fixed an issue where the tool was injecting whitespaces programmatically to install location paths that was causing conversion failures. -- Minor UI tweaks to add clarity. -- Minor updates to the logs to add clarity. +You can either run your installer interactivly (through the UI) or create a package from the command line. Either way, you can convert an application without having the source code. Then, you can make your app available through the Microsoft Store. +- [Package your favorite application installer](https://docs.microsoft.com/windows/msix/packaging-tool/create-app-package-msi-vm) interactively (msi, exe, App-V 5.x and ClickOnce) in MSIX format. +- Create a [modification package](https://docs.microsoft.com/windows/msix/packaging-tool/package-editor) to update an existing MSIX package. +- [Bundle multiple MSIX packages](https://docs.microsoft.com/windows/msix/packaging-tool/bundle-msix-packages) for distribution. ## Installing the MSIX Packaging Tool +### Prerequisites + +- Windows 10, version 1809 (or later) +- Participation in the Windows Insider Program (if you're using an Insider build) +- A valid Microsoft account (MSA) alias to access the app from the Microsoft Store +- Admin privileges on your PC account + +### Get the app from the Microsoft Store + 1. Use the MSA login associated with your Windows Insider Program credentials in the [Microsoft Store](https://www.microsoft.com/store/r/9N5LW3JBCXKF). 2. Open the product description page. -3. Click the install icon to begin installation. - -This is an early preview build and not all features are supported. Here is what you can expect to be able to do with this preview: - -- Package your favorite application installer interactively (msi, exe, App-V 5.x and ClickOnce) to MSIX format by launching the tool and selecting **Application package** icon. -- Create a modification package for a newly created Application MSIX Package by launching the tool and selecting the **Modification package** icon. -- Open your MSIX package to view and edit its content/properties by navigating to the **Open package editor** tab. Browse to the MSIX package and select **Open package**. - -## Creating an application package using the Command line interface -To create a new MSIX package for your application, run the MsixPackagingTool.exe create-package command in a Command prompt window. - -Here are the parameters that can be passed as command line arguments: - - -|Parameter |Description | -|---------|---------| -|-?
    --help | Show help information | -|--template | [required] path to the conversion template XML file containing package information and settings for this conversion | -|--virtualMachinePassword | [optional] The password for the Virtual Machine to be used for the conversion environment. Notes: The template file must contain a VirtualMachine element and the Settings::AllowPromptForPassword attribute must not be set to true. | - -Examples: - -- MsixPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml -- MSIXPackagingTool.exe create-package --template c:\users\documents\ConversionTemplate.xml --virtualMachinePassword pswd112893 - -## Creating an application package using virtual machines - -You can select to perform the packaging steps on a virtual machine. To do this: -- Click on Application package and select “Create package on an existing virtual machine” in the select environment page. -- The tool will then query for existing Virtual machines and allows you to select one form a drop down menu. -- Once a VM is selected the tool will ask for user and password. The username field accepts domain\user entries as well. - -When using local virtual machines as conversion environment, the tool leverages an authenticated remote PowerShell connection to configure the virtual machine. A lightweight WCF server then provides bidirectional communication between the host and target environment. - -Requirements: -- Virtual Machine need to have PSRemoting enabled. (Enable-PSRemoting command should be run on the VM) -- Virtual Machine needs to be configured for Windows Insider Program similar to the host machine. Minimum Windows 10 build 17701 - - -## Conversion template file - - -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` - -## Conversion template parameter reference -Here is the complete list of parameters that you can use in the Conversion template file. When a virtual machine is conversion environment, all file paths(installer, savelocation, etc) should be declared relative to the host, where the tool is running) - - -|ConversionSettings entries |Description | -|---------|---------| -|Settings:: AllowTelemetry |[optional] Enables telemetry logging for this invocation of the tool. | -|Settings:: ApplyAllPrepareComputerFixes |[optional] Applies all recommended prepare computer fixes. Cannot be set when other attributes are used. | -|Settings:: GenerateCommandLineFile |[optional] Copies the template file input to the SaveLocation directory for future use. | -|Settings:: AllowPromptForPassword |[optional] Instructs the tool to prompt the user to enter passwords for the Virtual Machine and for the signing certificate if it is required and not specified. | -|ExclusionItems |[optional] 0 or more FileExclusion or RegistryExclusion elements. All FileExclusion elements must appear before any RegistryExclusion elements. | -|ExclusionItems::FileExclusion |[optional] A file to exclude for packaging. | -|ExclusionItems::FileExclusion::ExcludePath |Path to file to exclude for packaging. | -|ExclusionItems::RegistryExclusion |[optional] A registry key to exclude for packaging. | -|ExclusionItems::RegistryExclusion:: ExcludePath |Path to registry to exclude for packaging. | -|PrepareComputer::DisableDefragService |[optional] Disables Windows Defragmenter while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|PrepareComputer:: DisableWindowsSearchService |[optional] Disables Windows Search while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|PrepareComputer:: DisableSmsHostService |[optional] Disables SMS Host while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|PrepareComputer:: DisableWindowsUpdateService |[optional] Disables Windows Update while the app is being converted. If set to false, overrides ApplyAllPrepareComputerFixes. | -|SaveLocation |[optional] An element to specify the save location of the tool. If not specified, the package will be saved under the Desktop folder. | -|SaveLocation::Path |The path to the folder where the resulting MSIX package is saved. | -|Installer::Path |The path to the application installer. | -|Installer::Arguments |The arguments to pass to the installer. You must pass the arguments to force your installer to run unattended/silently. If the installer is an msi or appv, pass an empty argument ie Installer=””. | -|Installer::InstallLocation |[optional] The full path to your application's root folder for the installed files if it were installed (e.g. "C:\Program Files (x86)\MyAppInstalllocation"). | -|VirtualMachine |[optional] An element to specify that the conversion will be run on a local Virtual Machine. | -|VrtualMachine::Name |The name of the Virtual Machine to be used for the conversion environment. | -|VirtualMachine::Username |[optional] The user name for the Virtual Machine to be used for the conversion environment. | -|PackageInformation::PackageName |The Package Name for your MSIX package. | -|PackageInformation::PackageDisplayName |The Package Display Name for your MSIX package. | -|PackageInformation::PublisherName |The Publisher for your MSIX package. | -|PackageInformation::PublisherDisplayName |The Publisher Display Name for your MSIX package. | -|PackageInformation::Version |The version number for your MSIX package. | -|PackageInformation:: MainPackageNameForModificationPackage |[optional] The Package identity name of the main package name. This is used when creating a modification package that takes a dependency on a main (parent) application. | -|Applications |[optional] 0 or more Application elements to configure the Application entries in your MSIX package. | -|Application::Id |The App ID for your MSIX application. This ID will be used for the Application entry detected that matches the specified ExecutableName. You can have multiple Application ID for executables in the package | -|Application::ExecutableName |The executable name for the MSIX application that will be added to the package manifest. The corresponding application entry will be ignored if no application with this name is detected. | -|Application::Description |[optional] The App Description for your MSIX application. If not used, the Application DisplayName will be used. This description will be used for the application entry detected that matches the specified ExecutableName | -|Application::DisplayName |The App Display Name for your MSIX package. This Display Name will be used for the application entry detected that matches the specified ExecutableName | -|Capabilities |[optional] 0 or more Capability elements to add custom capabilities to your MSIX package. “runFullTrust” capability is added by default during conversion. | -|Capability::Name |The capability to add to your MSIX package. | - -## Delete temporary conversion files using Command line interface -To delete all the temporary package files, logs, and artifacts created by the tool, run the MsixPackagingTool.exe cleanup command in the Command line window. - -Example: -- MsixPackagingTool.exe cleanup - -## How to file feedback - -Open Feedback Hub. Alternatively, launch the tool and select the **Settings** gear icon in the top right corner to open the Feedback tab. Here you can file feedback for suggestions, problems, and see other feedback items. - -## Best practices - -- When Packaging ClickOnce installers, it is necessary to send a shortcut to the desktop if the installer is not doing so already. In general, it's a good practice to always send a shortcut to your desktop for the main app executable. -- When creating modification packages, you need to declare the **Package Name** (Identity Name) of the parent application in the tool UI so that the tool sets the correct package dependency in the manifest of the modification package. -- Declaring an installation location field on the Package information page is optional but *recommended*. Make sure that this path matches the installation location of application Installer. -- Performing the preparation steps on the **Prepare Computer** page is optional but *highly recommended*. - -## Known issues -1. MSIX Packaging Tool Driver will fail to install if Windows Insider flight ring settings do no match the OS build of the conversion environment. Navigate to Settings, Updates & Security, Windows Insider Program to make sure your Insider preview build settings do not need attention. If you see this message click on the Fix me button to log in again. You might have to go to Windows Update page and check for update before settings change takes effect. Then try to run the tool again to download the MSIX Packaging Tool driver. If you are still hitting issues, try changing your flight ring to Canary or Insider Fast, install the latest Windows updates and try again. -2. You cannot edit the manifest manually from within the tool. (edit manifest button is disabled). Please use the SDK tools to unpack the MSIX package to edit the manifest manually. -3. Restarting the machine during application installation is not supported. Please ignore the restart request if possible or pass an argument to the installer to not require a restart. - - +3. Click the install icon to begin installation. \ No newline at end of file diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index a01dc76b8c..1ae7911088 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -11,5 +11,20 @@ ## [Transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) +## [Troubleshoot Windows 10 clients](windows-10-support-solutions.md) +### [Advanced troubleshooting for Windows networking issues](troubleshoot-networking.md) +#### [Advanced troubleshooting Wireless Network Connectivity](advanced-troubleshooting-wireless-network-connectivity.md) +#### [Data collection for troubleshooting 802.1x Authentication](data-collection-for-802-authentication.md) +#### [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) +### [Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) +#### [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +#### [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +#### [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) +#### [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) +### [Advanced troubleshooting for Windows start-up issues](troubleshoot-windows-startup.md) +#### [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) +#### [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) +#### [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) +#### [Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md) ## [Mobile device management for solution providers](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index b7f6316a52..082c384d37 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -50,6 +50,10 @@ These tools were included in previous versions of Windows and the associated doc >[!TIP]   >If the content that is linked to a tool in the following list doesn't provide the information you need to use that tool, send us a comment by using the **Was this page helpful?** feature on this **Administrative Tools in Windows 10** page. Details about the information you want for a tool will help us plan future content.  +## Related topics + +[Diagnostic Data Viewer](https://docs.microsoft.com/windows/privacy/diagnostic-data-viewer-overview) +   diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md new file mode 100644 index 0000000000..b1ab9770a3 --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -0,0 +1,87 @@ +--- +title: Advanced Troubleshooting 802.1x Authentication +description: Learn how 802.1x Authentication works +keywords: advanced troubleshooting, 802.1x authentication, troubleshooting, authentication, Wi-Fi +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: mikeblodge +ms.date: 10/29/2018 +--- + +# Advanced Troubleshooting 802.1x Authentication + +## Overview +This is a general troubleshooting of 802.1x wireless and wired clients. With +802.1x and Wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make Access Points or Switches, it won't be an end-to-end Microsoft solution. + +### Scenarios +This troubleshooting technique applies to any scenario in which wireless or wired connections with 802.1X authentication is attempted and then fails to establish. The workflow covers Windows 7 - 10 for clients, and Windows Server 2008 R2 - 2012 R2 for NPS. + +### Known Issues +N/A + +### Data Collection +[Advanced Troubleshooting 802.1x Authentication Data Collection](https://docs.microsoft.com/en-us/windows/client-management/data-collection-for-802-authentication) + +### Troubleshooting +- Viewing the NPS events in the Windows Security Event log is one of the most useful troubleshooting methods to obtain information about failed authentications. + +NPS event log entries contain information on the connection attempt, including the name of the connection request policy that matched the connection attempt and the network policy that accepted or rejected the connection attempt. NPS event logging for rejected or accepted connection is enabled by default. +Check Windows Security Event log on the NPS Server for NPS events corresponding to rejected (event ID 6273) or accepted (event ID 6272) connection attempts. + +In the event message, scroll to the very bottom, and check the **Reason Code** field and the text associated with it. + +![example of an audit failure](images/auditfailure.png) +*Example: event ID 6273 (Audit Failure)* +‎ +![example of an audit success](images/auditsuccess.png) +*Example: event ID 6272 (Audit Success)* + +‎ +- The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, Wired AutoConfig operational log is equivalent one. + +On client side, navigate to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational for wireless issue (for wired network access, ..\Wired-AutoConfig/Operational). + +![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png) + +- Most 802.1X authentication issues is due to problems with the certificate which is used for client or server authentication (e.g. invalid certificate, expiration, chain verification failure, revocation check failure, etc.). + +First, make sure which type of EAP method is being used. + +![eap authentication type comparison](images/comparisontable.png) + +- If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from EAP property menu. See figure below. + +![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png) + +- The CAPI2 event log will be useful for troubleshooting certificate-related issues. +This log is not enabled by default. You can enable this log by navigating to the Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2 directory and expand it, then right-click on the Operational view and click the Enable Log menu. + +![screenshot of event viewer](images/eventviewer.png) + +You can refer to this article about how to analyze CAPI2 event logs. +[Troubleshooting PKI Problems on Windows Vista](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29) +For detailed troubleshooting 802.1X authentication issues, it's important to understand 802.1X authentication process. The figure below is an example of wireless connection process with 802.1X authentication. + +![aithenticatior flow chart](images/authenticator_flow_chart.png) + +- If you collect network packet capture on both a client and a NPS side, you can see the flow like below. Type **EAPOL** in Display Filter menu in Network Monitor for a client side and **EAP** for a NPS side. + +> [!NOTE] +> info not critical to a task If you also enable wireless scenario trace with network packet capture, you can see more detailed information on Network Monitor with **ONEX\_MicrosoftWindowsOneX** and **WLAN\_MicrosoftWindowsWLANAutoConfig** Network Monitor filtering applied. + + +![client-side packet capture data](images/clientsidepacket_cap_data.png) +*Client-side packet capture data* + +![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) +*NPS-side packet capture data* +‎ +## Additional references +[Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/ja-jp/library/cc766215%28v=ws.10%29.aspx) + +[Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/de-de/library/cc749352%28v=ws.10%29.aspx) + diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md new file mode 100644 index 0000000000..207d12b5d3 --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-boot-problems.md @@ -0,0 +1,389 @@ +--- +title: Advanced troubleshooting for Windows boot problems +description: Learn how to troubleshoot when Windows is unable to boot +ms.prod: w10 +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 11/16/2018 +--- + +# Advanced troubleshooting for Windows boot problems + +>[!NOTE] +>This article is intended for use by support agents and IT professionals. If you're looking for more general information about recovery options, see [Recovery options in Windows 10](https://support.microsoft.com/help/12415). + +## Summary + +There are several reasons why a Windows-based computer may have problems during startup. To troubleshoot boot problems, first determine in which of the following phases the computer gets stuck: + +| **Phase** | **Boot Process** | **BIOS** | **UEFI** | +|--------|----------------------|------------------------------| | +| 1 | PreBoot | MBR/PBR (Bootstrap Code) | UEFI Firmware | +| 2 | Windows Boot Manager | %SystemDrive%\bootmgr | \EFI\Microsoft\Boot\bootmgfw.efi | +| 3 | Windows OS Loader | %SystemRoot%\system32\winload.exe | %SystemRoot%\system32\winload.efi | +| 4 | Windows NT OS Kernel | %SystemRoot%\system32\ntoskrnl.exe | | + + +**1. PreBoot** + +The PC’s firmware initiates a Power-On Self Test (POST) and loads firmware settings. This pre-boot process ends when a valid system disk is detected. Firmware reads the master boot record (MBR), and then starts Windows Boot +Manager. + +**2. Windows Boot Manager** + +Windows Boot Manager finds and starts the Windows loader (Winload.exe) on the Windows boot partition. + +**3. Windows operating system loader** + +Essential drivers required to start the Windows kernel are loaded and the kernel starts to run. + +**4. Windows NT OS Kernel** + +The kernel loads into memory the system registry hive and additional drivers that are marked as BOOT_START. + +The kernel passes control to the session manager process (Smss.exe) which initializes the system session, and loads and starts the devices and drivers that are not marked BOOT_START. + +Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement. + +![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)
    +[Click to enlarge](img-boot-sequence.md)
    + + + + +Each phase has a different approach to troubleshooting. This article provides troubleshooting techniques for problems that occur during the first three phases. + +>[!NOTE] +>If the computer repeatedly boots to the recovery options, run the following command at a command prompt to break the cycle: +> +>`Bcdedit /set {default} recoveryenabled no` +> +>If the F8 options don't work, run the following command: +> +>`Bcdedit /set {default} bootmenupolicy legacy` + + +## BIOS phase + +To determine whether the system has passed the BIOS phase, follow these steps: + +1. If there are any external peripherals connected to the computer, disconnect them. +2. Check whether the hard disk drive light on the physical computer is working. If it is not working, this indicates that the startup process is stuck at the BIOS phase. +3. Press the NumLock key to see whether the indicator light toggles on and off. If it does not, this indicates that the startup process is stuck at BIOS. + +If the system is stuck at the BIOS phase, there may be a hardware problem. + +## Boot loader phase + +If the screen is completely black except for a blinking cursor, or if you receive one of the following error codes, this indicates that the boot process is stuck in the Boot Loader phase: + +- Boot Configuration Data (BCD) missing or corrupted +- Boot file or MBR corrupted +- Operating system Missing +- Boot sector missing or corrupted +- Bootmgr missing or corrupted +- Unable to boot due to system hive missing or corrupted + +To troubleshoot this problem, use Windows installation media to start the computer, press Shift+F10 for a command prompt, and then use any of the following methods. + + +### Method 1: Startup Repair tool + +The Startup Repair tool automatically fixes many common problems. The tool also lets you quickly diagnose and repair more complex startup problems. When the computer detects a startup problem, the computer starts the Startup Repair tool. When the tool starts, it performs diagnostics. These diagnostics include analyzing startup log files to determine the cause of the problem. When the Startup Repair tool determines the cause, the tool tries to fix the problem automatically. + +To do this, follow these steps. + +>[!NOTE] +>For additional methods to start WinRE, see [Entry points into WinRE](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). + +1. Start the system to the installation media for the installed version of Windows. + **Note** For more information, see [Create installation media for Windows](https://support.microsoft.com/help/15088). + +2. On the **Install Windows** screen, select **Next** > **Repair your computer**. + +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt**. + +4. After Startup Repair, select **Shutdown**, then turn on your PC to see if Windows can boot properly. + +The Startup Repair tool generates a log file to help you understand the startup problems and the repairs that were made. You can find the log file in the following location: + +**%windir%\System32\LogFiles\Srt\Srttrail.txt** + + +For more information see, [A Stop error occurs, or the computer stops responding when you try to start Windows Vista or Windows 7](https://support.microsoft.com/help/925810/a-stop-error-occurs-or-the-computer-stops-responding-when-you-try-to-s) + + +### Method 2: Repair Boot Codes + +To repair boot codes, run the following command: + +```dos +BOOTREC /FIXMBR +``` + +To repair the boot sector, run the following command: + +```dos +BOOTREC /FIXBOOT +``` + +>[!NOTE] +>Running **BOOTREC** together with **Fixmbr** overwrites only the master boot code. If the corruption in the MBR affects the partition table, running **Fixmbr** may not fix the problem. + +### Method 3: Fix BCD errors + +If you receive BCD-related errors, follow these steps: + +1. Scan for all the systems that are installed. To do this, run the following command: + ```dos + Bootrec /ScanOS + ``` + +2. Restart the computer to check whether the problem is fixed. + +3. If the problem is not fixed, run the following command: + ```dos + Bootrec /rebuildbcd + ``` + +4. You might receive one of the following outputs: + + - Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 0 + The operation completed successfully. + + - Scanning all disks for Windows installations. Please wait, since this may take a while... Successfully scanned Windows installations. Total identified Windows installations: 1 + D:\Windows + Add installation to boot list? Yes/No/All: + +If the output shows **windows installation: 0**, run the following commands: + +```dos +bcdedit /export c:\bcdbackup + +attrib c:\\boot\\bcd -h -r –s + +ren c:\\boot\\bcd bcd.old + +bootrec /rebuildbcd +``` + +After you run the command, you receive the following output: + + Scanning all disks for Windows installations. Please wait, since this may take a while...Successfully scanned Windows installations. Total identified Windows installations: 1{D}:\Windows +Add installation to boot list? Yes/No/All: Y + +5. Try again to start the system. + +### Method 4: Replace Bootmgr + +If methods 1 and 2 do not fix the problem, replace the Bootmgr file from drive C to the System Reserved partition. To do this, follow these steps: + +1. At a command prompt, change the directory to the System Reserved partition. + +2. Run the **attrib** command to unhide the file: + ```dos + attrib-s -h -r + ``` + +3. Run the same **attrib** command on the Windows (system drive): + ```dos + attrib-s -h –r + ``` + +4. Rename the Bootmgr file as Bootmgr.old: + ```dos + ren c:\\bootmgr bootmgr.old + ``` + +5. Start a text editor, such as Notepad. + +6. Navigate to the system drive. + +7. Copy the Bootmgr file, and then paste it to the System Reserved partition. + +8. Restart the computer. + +### Method 5: Restore System Hive + +If Windows cannot load the system registry hive into memory, you must restore the system hive. To do this, use the Windows Recovery Environment or use Emergency Repair Disk (ERD) to copy the files from the C:\Windows\System32\config\RegBack to C:\Windows\System32\config. + +If the problem persists, you may want to restore the system state backup to an alternative location, and then retrieve the registry hives to be replaced. + + +## Kernel Phase + +If the system gets stuck during the kernel phase, you experience multiple symptoms or receive multiple error messages. These include, but are not limited to, the following: + +- A Stop error appears after the splash screen (Windows Logo screen). + +- Specific error code is displayed. + For example, "0x00000C2" , "0x0000007B" , "inaccessible boot device" and so on. + (To troubleshoot the 0x0000007B error, see [Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)](https://internal.support.services.microsoft.com/help/4343769/troubleshooting-guide-for-windows-boot-problems#0x7bstoperror)) + +- The screen is stuck at the "spinning wheel" (rolling dots) "system busy" icon. + +- A black screen appears after the splash screen. + +To troubleshoot these problems, try the following recovery boot options one at a time. + +**Scenario 1: Try to start the computer in Safe mode or Last Known Good Configuration** + +On the **Advanced Boot Options** screen, try to start the computer in **Safe Mode** or **Safe Mode with Networking**. If either of these options works, use Event Viewer to help identify and diagnose the cause of the boot problem. To view events that are recorded in the event logs, follow these steps: + +1. Use one of the following methods to open Event Viewer: + + - Click **Start**, point to **Administrative Tools**, and then click + **Event Viewer**. + + - Start the Event Viewer snap-in in Microsoft Management Console (MMC). + +2. In the console tree, expand Event Viewer, and then click the log that you + want to view. For example, click **System log** or **Application log**. + +3. In the details pane, double-click the event that you want to view. + +4. On the **Edit** menu, click **Copy**, open a new document in the program in + which you want to paste the event (for example, Microsoft Word), and then + click **Paste**. + +5. Use the Up Arrow or Down Arrow key to view the description of the previous + or next event. + + +### Clean boot + +To troubleshoot problems that affect services, do a clean boot by using System Configuration (msconfig). +Select **Selective startup** to test the services one at a time to determine which one is causing the problem. If you cannot find the cause, try including system services. However, in most cases, the problematic service is third-party. + +Disable any service that you find to be faulty, and try to start the computer again by selecting **Normal startup**. + +For detailed instructions, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135/how-to-perform-a-clean-boot-in-windows). + +If the computer starts in Disable Driver Signature mode, start the computer in Disable Driver Signature Enforcement mode, and then follow the steps that are documented in the following article to determine which drivers or files require driver signature enforcement: +[Troubleshooting boot problem caused by missing driver signature (x64)](https://blogs.technet.microsoft.com/askcore/2012/04/15/troubleshooting-boot-issues-due-to-missing-driver-signature-x64/) + +>[!NOTE] +>If the computer is a domain controller, try Directory Services Restore mode (DSRM). +> +>This method is an important step if you encounter Stop error "0xC00002E1" or "0xC00002E2" + + +**Examples** + +>[!WARNING] +>Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these +problems can be solved. Modify the registry at your own risk. + +*Error code INACCESSIBLE_BOOT_DEVICE (STOP 0x7B)* + +To troubleshoot this Stop error, follow these steps to filter the drivers: + +1. Go to Window Recovery Environment (WinRE) by putting an ISO disk of the system in the disk drive. The ISO should be of same version of Windows or a later version. + +2. Open the registry. + +3. Load the system hive, and name it as "test." + +4. Under the following registry subkey, check for lower filter and upper filter items for Non-Microsoft Drivers: + + **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Class** + +5. For each third-party driver that you locate, click the upper or lower filter, and then delete the value data. + +6. Search through the whole registry for similar items. Process as an appropriate, and then unload the registry hive. + +7. Restart the server in Normal mode. + +For additional troubleshooting steps, see the following articles: + +- [Troubleshooting a Stop 0x7B in Windows](https://blogs.technet.microsoft.com/askcore/2013/08/05/troubleshooting-a-stop-0x7b-in-windows/) + +- [Advanced troubleshooting for "Stop error code 0x0000007B (INACCESSIBLE_BOOT_DEVICE)" errors in Windows XP](https://internal.support.services.microsoft.com/help/324103). + +To fix problems that occur after you install Windows updates, check for pending updates by using these steps: + +1. Open a Command Prompt winodw in WinRE. + +2. Run the command: + ```dos + dism /image:C:\ /get-packages + ``` + +3. If there are any pending updates, uninstall them by running the following commands: + ```dos + DISM /image:C:\ /remove-package /packagename: name of the package + ``` + ```dos + Dism /Image:C:\ /Cleanup-Image /RevertPendingActions + ``` + +Try to start the computer. + +If the computer does not start, follow these steps: + +1. Open A Command Prompt window in WinRE, and start a text editor, such as Notepad. + +2. Navigate to the system drive, and search for windows\winsxs\pending.xml. + +3. If the Pending.xml file is found, rename the file as Pending.xml.old. + +4. Open the registry, and then load the component hive in HKEY_LOCAL_MACHINE as a test. + +5. Highlight the loaded test hive, and then search for the **pendingxmlidentifier** value. + +6. If the **pendingxmlidentifier** value exists, delete the value. + +7. Unload the test hive. + +8. Load the system hive, name it as "test". + +9. Navigate to the following subkey: + + **HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\TrustedInstaller** + +10. Change the **Start** value from **1** to **4** + +11. Unload the hive. + +12. Try to start the computer. + +If the Stop error occurs late in the startup process, or if the Stop error is still being generated, you can capture a memory dump. A good memory dump can help determine the root cause of the Stop error. For details, see the following Knowledge Base article: + +- [969028](https://support.microsoft.com/help/969028) How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2 + +For more information about page file problems in Windows 10 or Windows Server 2016, see the following Knowledge Base article: + +- [4133658](https://support.microsoft.com/help/4133658) Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows + +For more information about Stop errors, see the following Knowledge Base article: + +- [3106831](https://support.microsoft.com/help/3106831) Troubleshooting Stop error problems for IT Pros + + +If the dump file shows an error that is related to a driver (for example, windows\system32\drivers\stcvsm.sys is missing or corrupted), follow these guidelines: + +- Check the functionality that is provided by the driver. If the driver is a third-party boot driver, make sure that you understand what it does. + +- If the driver is not important and has no dependencies, load the system hive, and then disable the driver. + +- If the stop error indicates system file corruption, run the system file checker in offline mode. + - To do this, open WinRE, open a command prompt, and then run the following command: + ```dos + SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows + ``` + For more information, see [Using System File Checker (SFC) To Fix Issues](https://blogs.technet.microsoft.com/askcore/2007/12/18/using-system-file-checker-sfc-to-fix-issues/) + + - If there is disk corruption, run the check disk command: + ```dos + chkdsk /f /r + ``` + + - If the Stop error indicates general registry corruption, or if you believe that new drivers or services were installed, follow these steps: + + 1. Start WinRE, and open a Command Prompt window. + 2. Start a text editor, such as Notepad. + 3. Navigate to C\Windows\System32\Config\. + 4. Rename the all five hives by appending ".old" to the name. + 5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode. diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md new file mode 100644 index 0000000000..5647279113 --- /dev/null +++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md @@ -0,0 +1,199 @@ +--- +title: Advanced Troubleshooting Wireless Network Connectivity +description: Learn how troubleshooting of establishing Wi-Fi connections +keywords: troubleshooting, wireless network connectivity, wireless, Wi-Fi +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: mikeblodge +ms.date: 10/29/2018 +--- +# Advanced Troubleshooting Wireless Network Connectivity + +> [!NOTE] +> Home users: This article is intended for use by support agents and IT professionals. If you're looking for more general information about Wi-Fi problems in Windows 10, check out this [Windows 10 Wi-Fi fix article](https://support.microsoft.com/en-in/help/4000432/windows-10-fix-wi-fi-problems). + +## Overview +This is a general troubleshooting of establishing Wi-Fi connections from Windows Clients. +Troubleshooting Wi-Fi connections requires understanding the basic flow of the Wi-Fi autoconnect state machine. Understanding this flow makes it easier to determine the starting point in a repro scenario in which a different behavior is found. +This workflow involves knowledge and use of [TextAnalysisTool](https://github.com/TextAnalysisTool/Releases), an extensive text filtering tool that is useful with complex traces with numerous ETW providers such as wireless_dbg trace scenario. + +## Scenarios + +Any scenario in which Wi-Fi connections are attempted and fail to establish. The troubleshooter is developed with Windows 10 clients in focus, but also may be useful with traces as far back as Windows 7. + +> [!NOTE] +> This troubleshooter uses examples that demonstrate a general strategy for navigating and interpreting wireless component ETW. It is not meant to be representative of every wireless problem scenario. + +Wireless ETW is incredibly verbose and calls out lots of innocuous errors (i.e. Not really errors so much as behaviors that are flagged and have nothing to do with the problem scenario). Simply searching for or filtering on "err", "error", and "fail" will seldom lead you to the root cause of a problematic Wi-Fi scenario. Instead it will flood the screen with meaningless logs that will obfuscate the context of the actual problem. + +It is important to understand the different Wi-Fi components involved, their expected behaviors, and how the problem scenario deviates from those expected behaviors. +The intention of this troubleshooter is to show how to find a starting point in the verbosity of wireless_dbg ETW and home in on the responsible component(s) causing the connection problem. + +### Known Issues and fixes +** ** +| **OS version** | **Fixed in** | +| --- | --- | +| **Windows 10, version 1803** | [KB4284848](https://support.microsoft.com/help/4284848) | +| **Windows 10, version 1709** | [KB4284822](https://support.microsoft.com/help/4284822) | +| **Windows 10, version 1703** | [KB4338827](https://support.microsoft.com/help/4338827) | + +Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update-history webpage for your system: +- [Windows 10 version 1803](https://support.microsoft.com/help/4099479) +- [Windows 10 version 1709](https://support.microsoft.com/en-us/help/4043454) +- [Windows 10 version 1703](https://support.microsoft.com/help/4018124) +- [Windows 10 version 1607 and Windows Server 2016](https://support.microsoft.com/help/4000825) +- [Windows 10 version 1511](https://support.microsoft.com/help/4000824) +- [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470) +- [Windows Server 2012](https://support.microsoft.com/help/4009471) +- [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/40009469) + +### Data Collection +1. Network Capture with ETW. Use the following command: + + **netsh trace start wireless\_dbg capture=yes overwrite=yes maxsize=4096 tracefile=c:\tmp\wireless.etl** + +2. Reproduce the issue if: + - There is a failure to establish connection, try to manually connect + - It is intermittent but easily reproducible, try to manually connect until it fails. Include timestamps of each connection attempt (successes and failures) + - Tue issue is intermittent but rare, netsh trace stop command needs to be triggered automatically (or at least alerted to admin quickly) to ensure trace doesn’t overwrite the repro data. + - Intermittent connection drops trigger stop command on a script (ping or test network constantly until fail, then netsh trace stop). + +3. Run this command to stop the trace: **netsh trace stop** +4. To convert the output file to text format: **netsh trace convert c:\tmp\wireless.etl** + +### Troubleshooting +The following is a high-level view of the main wifi components in Windows. + +![Wi-Fi stack components](images/wifistackcomponents.png) + +The Windows Connection Manager (Wcmsvc) is closely associated with the UI controls (see taskbar icon) to connect to various networks including wireless. It accepts and processes input from the user and feeds it to the core wireless service (Wlansvc). The Wireless Autoconfig Service (Wlansvc) handles the core functions of wireless networks in windows: + +- Scanning for wireless networks in range +- Managing connectivity of wireless networks + +The Media Specific Module (MSM) handles security aspects of connection being established. + +The Native Wifi stack consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc. + +Third-party wireless miniport drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows. +The wifi connection state machine has the following states: +- Reset +- Ihv_Configuring +- Configuring +- Associating +- Authenticating +- Roaming +- Wait_For_Disconnected +- Disconnected + +Standard wifi connections tend to transition between states such as: + +**Connecting** + +Reset --> Ihv_Configuring --> Configuring --> Associating --> Authenticating --> Connected + +**Disconnecting** + +Connected --> Roaming --> Wait_For_Disconnected --> Disconnected --> Reset + +- Filtering the ETW trace with the provided [TextAnalyisTool (TAT)](Missing wifi.tat file) filter is an easy first step to determine where a failed connection setup is breaking down: +Use the **FSM transition** trace filter to see the connection state machine. +Example of a good connection setup: + +``` +44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset +45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring +45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring +46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating +47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating +49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Connected +``` +Example of a failed connection setup: +``` +44676 [2]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.658 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Disconnected to State: Reset +45473 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.667 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Reset to State: Ihv\_Configuring +45597 [3]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.708 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Ihv\_Configuring to State: Configuring +46085 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.710 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Configuring to State: Associating +47393 [1]0F24.1020::‎2018‎-‎09‎-‎17 10:22:14.879 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Associating to State: Authenticating +49465 [2]0F24.17E0::‎2018‎-‎09‎-‎17 10:22:14.990 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: Authenticating to State: Roaming +``` +By identifying the state at which the connection fails, one can focus more specifically in the trace on logs just prior to the last known good state. Examining **[Microsoft-Windows-WLAN-AutoConfig]** logs just prior to the bad state change should show evidence of error. Often, however, the error is propagated up through other wireless components. +In many cases the next component of interest will be the MSM, which lies just below Wlansvc. + +![MSM details](images/msmdetails.png) + +The important components of the MSM include: +- Security Manager (SecMgr) - handles all pre and post-connection security operations. +- Authentication Engine (AuthMgr) – Manages 802.1x auth requests +Each of these components has their own individual state machines which follow specific transitions. +Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail. +Continuing with the example above, the combined filters look like this: + +``` +[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Reset to State: Ihv_Configuring +[2] 0C34.2FF0::08/28/17-13:24:28.693 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Ihv_Configuring to State: Configuring +[1] 0C34.2FE8::08/28/17-13:24:28.711 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Configuring to State: Associating +[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition INACTIVE (1) --> ACTIVE (2) +[0] 0C34.275C::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition ACTIVE (2) --> START AUTH (3) +[4] 0EF8.0708::08/28/17-13:24:28.928 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition ENABLED --> START_AUTH +[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Associating to State: Authenticating +[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4) +[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING +[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11) +[2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1) +[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Authenticating to State: Roaming +``` +> [!NOTE] +> In this line the SecMgr transition is suddenly deactivating. This transition is what eventually propagates to the main connection state machine and causes the Authenticating phase to devolve to Roaming state. As before, it makes sense to focus on tracing just prior to this SecMgr behavior to determine the reason for the deactivation. + +- Enabling the **Microsoft-Windows-WLAN-AutoConfig** filter will show more detail leading to the DEACTIVATE transition: + +``` +[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Associating to State: Authenticating +[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4) +[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x186472F64FD2 AuthMgr Transition START_AUTH --> AUTHENTICATING +[0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE +[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off ) +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down +[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 +[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11) + [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1) +[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Authenticating to State: Roaming +``` +- The trail backwards reveals a Port Down notification. Port events indicate changes closer to the wireless hardware. The trail can be followed by continuing to see the origin of this indication. +Below, the MSM is the native wifi stack (as seen in Figure 1). These are Windows native wifi drivers which talk to the wifi miniport driver(s). It is responsible for converting Wi-Fi (802.11) packets to 802.3 (Ethernet) so that TCPIP and other protocols and can use it. +Enable trace filter for **[Microsoft-Windows-NWifi]:** + +``` +[3] 0C34.2FE8::08/28/17-13:24:28.902 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Associating to State: Authenticating +[1] 0C34.275C::08/28/17-13:24:28.960 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition START AUTH (3) --> WAIT FOR AUTH SUCCESS (4) +[4] 0EF8.0708::08/28/17-13:24:28.962 [Microsoft-Windows-WLAN-AutoConfig]Port (14) Peer 0x8A1514B62510 AuthMgr Transition START_AUTH --> AUTHENTICATING +[0]0000.0000::‎08/28/17-13:24:29.127 [Microsoft-Windows-NWiFi]DisAssoc: 0x8A1514B62510 Reason: 0x4 +[0]0EF8.2EF4::‎08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PHY_STATE_CHANGE +[0]0EF8.2EF4::08/28/17-13:24:29.549 [Microsoft-Windows-WLAN-AutoConfig]Change radio state for interface = Intel(R) Centrino(R) Ultimate-N 6300 AGN : PHY = 3, software state = on , hardware state = off ) +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received Security Packet: PORT_DOWN +[0] 0EF8.1174::‎08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]FSM Current state Authenticating , event Upcall_Port_Down +[0] 0EF8.1174:: 08/28/17-13:24:29.705 [Microsoft-Windows-WLAN-AutoConfig]Received IHV PORT DOWN, peer 0x186472F64FD2 +[2] 0C34.2FF0::08/28/17-13:24:29.751 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition WAIT FOR AUTH SUCCESS (7) --> DEACTIVATE (11) + [2] 0C34.2FF0::08/28/17-13:24:29.7512788 [Microsoft-Windows-WLAN-AutoConfig]Port<13> Peer 8A:15:14:B6:25:10 SecMgr Transition DEACTIVATE (11) --> INACTIVE (1) +[2] 0C34.2FF0::08/28/17-13:24:29.7513404 [Microsoft-Windows-WLAN-AutoConfig]FSM Transition from State: +Authenticating to State: Roaming +``` +The port down event is occurring due to a Disassociate coming Access Point as an indication to deny the connection. This could be due to invalid credentials, connection parameters, loss of signal/roaming, and various other reasons for aborting a connection. The action here would be to examine the reason for the disassociate sent from the indicated AP MAC (8A:15:14:B6:25:10). This would be done by examining internal logging/tracing from MAC device. + +### **Resources** +### [802.11 Wireless Tools and Settings](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755892(v%3dws.10)) +### [Understanding 802.1X authentication for wireless networks](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759077%28v%3dws.10%29) + diff --git a/windows/client-management/change-history-for-client-management.md b/windows/client-management/change-history-for-client-management.md index f5b708473d..91800241a0 100644 --- a/windows/client-management/change-history-for-client-management.md +++ b/windows/client-management/change-history-for-client-management.md @@ -9,13 +9,30 @@ ms.pagetype: security ms.localizationpriority: medium author: jdeckerMS ms.author: jdecker -ms.date: 09/12/2017 +ms.date: 12/06/2018 --- # Change history for Client management This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile. +## December 2018 + +New or changed topic | Description +--- | --- +[Advanced troubleshooting for TCP/IP](troubleshoot-tcpip.md) | New +[Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) | New +[Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) | New +[Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) | New +[Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) | New + +## November 2018 + +New or changed topic | Description +--- | --- + [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) | New + [Advanced troubleshooting for Stop error or blue screen error issue](troubleshoot-stop-errors.md) | New + ## RELEASE: Windows 10, version 1709 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 920c37386e..7c666a3977 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -23,6 +23,9 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ![Remote Desktop Connection client](images/rdp.png) +>[!TIP] +>Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) + ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. @@ -33,11 +36,11 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. >[!NOTE] >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet: > - >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"` + >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD. > >In Windows 10, version 1709, the user does not have to sign in to the remote device first. > diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md new file mode 100644 index 0000000000..60a255a2b6 --- /dev/null +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -0,0 +1,386 @@ +--- +title: Data Collection for Troubleshooting 802.1x Authentication +description: Data needed for reviewing 802.1x Authentication issues +keywords: troubleshooting, data collection, data, 802.1x authentication, authentication, data +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: mikeblodge +ms.date: 10/29/2018 +--- + +# Data Collection for Troubleshooting 802.1x Authentication + + +## Capture wireless/wired functionality logs + +Use the following steps to collect wireless and wired logs on Windows and Windows Server: + +1. Create C:\MSLOG on the client machine to store captured logs. +2. Launch a command prompt as an administrator on the client machine, and run the following commands to start RAS trace log and Wireless/Wired scenario log. + + **Wireless Windows 8.1 and Windows 10:** + + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + ``` + + **Wireless Windows 7 and Windows 8:** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + ``` + + **Wired client, regardless of version** + ``` + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_cli.etl + ``` + +3. Run the following command to enable CAPI2 logging: + + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + ``` + +4. Create C:\MSLOG on the NPS to store captured logs. + +5. Launch a command prompt as an administrator on the NPS and run the following commands to start RAS trace log and Wireless/Wired scenario log: + + **Windows Server 2012 R2, Windows Server 2016 wireless network:** + + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg,wireless_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl + ``` + + **Windows Server 2008 R2, Windows Server 2012 wireless network** + + ``` + netsh ras set tracing * enabled + netsh trace start scenario=wlan,wlan_wpp,wlan_dbg globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl + ``` + + **Wired network** + + ``` + netsh ras set tracing * enabled + netsh trace start scenario=lan globallevel=0xff capture=yes maxsize=1024 tracefile=C:\MSLOG\%COMPUTERNAME%_wired_nps.etl + ``` + +6. Run the following command to enable CAPI2 logging: + + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:true + ``` +7. Run the following command from the command prompt on the client machine and start PSR to capture screen images: + + > [!NOTE] + > When the mouse button is clicked, the cursor will blink in red while capturing a screen image. + + ``` + psr /start /output c:\MSLOG\%computername%_psr.zip /maxsc 100 + ``` +8. Repro the issue. +9. Run the following command on the client PC to stop the PSR capturing: + + ``` + psr /stop + ``` + +10. Run the following commands from the command prompt on the NPS. + + - To stop RAS trace log and wireless scenario log: + + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` + - To disable and copy CAPI2 log: + + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + ``` + +11. Run the following commands on the client PC. + - To stop RAS trace log and wireless scenario log: + ``` + netsh trace stop + netsh ras set tracing * disabled + ``` + + - To disable and copy the CAPI2 log: + ``` + wevtutil.exe sl Microsoft-Windows-CAPI2/Operational /e:false + wevtutil.exe epl Microsoft-Windows-CAPI2/Operational C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + ``` + +12. Save the following logs on the client and the NPS: + + **Client** + - C:\MSLOG\%computername%_psr.zip + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.etl + - C:\MSLOG\%COMPUTERNAME%_wireless_cli.cab + - All log files and folders in %Systemroot%\Tracing + + **NPS** + - C:\MSLOG\%COMPUTERNAME%_CAPI2.evtx + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.etl (%COMPUTERNAME%_wired_nps.etl for wired scenario) + - C:\MSLOG\%COMPUTERNAME%_wireless_nps.cab (%COMPUTERNAME%_wired_nps.cab for wired scenario) + - All log files and folders in %Systemroot%\Tracing + +## Save environmental and configuration information + +### On Windows client + +1. Create C:\MSLOG to store captured logs. +2. Launch a command prompt as an administrator. +3. Run the following commands. + - Environmental information and Group Policies application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.htm + msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational C:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx + wevtutil epl "Microsoft-Windows-WLAN-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-WLAN-AutoConfig-Operational.evtx + wevtutil epl "Microsoft-Windows-Wired-AutoConfig/Operational" c:\MSLOG\%COMPUTERNAME%_Microsoft-Windows-Wired-AutoConfig-Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx + ``` + - For Windows 8 and later, also run these commands for event logs: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx + ``` + - Certificates Store information: + + ``` + certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt + certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt + certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt + certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt + certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt + certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt + certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt + certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt + certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt + certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt + certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt + certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt + certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt + certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt + certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt + certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt + certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt + certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt + certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt + certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt + certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt + certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt + certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt + ``` + - Wireless LAN client information: + + ``` + netsh wlan show all > c:\MSLOG\%COMPUTERNAME%_wlan_show_all.txt + netsh wlan export profile folder=c:\MSLOG\ + ``` + - Wired LAN Client information + + ``` + netsh lan show interfaces > c:\MSLOG\%computername%_lan_interfaces.txt + netsh lan show profiles > c:\MSLOG\%computername%_lan_profiles.txt + netsh lan show settings > c:\MSLOG\%computername%_lan_settings.txt + netsh lan export profile folder=c:\MSLOG\ + ``` +4. Save the logs stored in C:\MSLOG. + +### On NPS + +1. Create C:\MSLOG to store captured logs. +2. Launch a command prompt as an administrator. +3. Run the following commands. + - Environmental information and Group Policies application status: + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt + msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt + ``` + - Event logs: + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx + ``` + - Run the following 3 commands on Windows Server 2012 and later: + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx + ``` + - Certificates store information + + ``` + certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt + certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt + certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt + certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt + certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt + certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt + certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt + certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt + certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt + certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt + certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt + certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt + certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt + certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt + certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt + certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt + certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt + certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt + certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt + certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt + certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt + certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt + certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt + ``` + - NPS configuration information: + + ``` + netsh nps show config > C:\MSLOG\%COMPUTERNAME%_nps_show_config.txt + netsh nps export filename=C:\MSLOG\%COMPUTERNAME%_nps_export.xml exportPSK=YES + ``` +3. Take the following steps to save an NPS accounting log. + 1. Open **Administrative tools > Network Policy Server**. + 2. On the Network Policy Server administration tool, select **Accounting** in the left pane. + 3. Click **Change Log File Properties**. + 4. On the **Log File** tab, note the log file naming convention shown as **Name** and the log file location shown in **Directory** box. + 5. Copy the log file to C:\MSLOG. + +4. Save the logs stored in C:\MSLOG. + +### Certificate Authority (CA) (OPTIONAL) + +1. On a CA, launch a command prompt as an administrator. Create C:\MSLOG to store captured logs. +2. Run the following commands. + - Environmental information and Group Policies application status + + ``` + gpresult /H C:\MSLOG\%COMPUTERNAME%_gpresult.txt + msinfo32 /report c:\MSLOG\%COMPUTERNAME%_msinfo32.txt + ipconfig /all > c:\MSLOG\%COMPUTERNAME%_ipconfig.txt + route print > c:\MSLOG\%COMPUTERNAME%_route_print.txt + ``` + - Event logs + + ``` + wevtutil epl Application c:\MSLOG\%COMPUTERNAME%_Application.evtx + wevtutil epl System c:\MSLOG\%COMPUTERNAME%_System.evtx + wevtutil epl Security c:\MSLOG\%COMPUTERNAME%_Security.evtx + wevtutil epl Microsoft-Windows-GroupPolicy/Operational c:\MSLOG\%COMPUTERNAME%_GroupPolicy_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-CredentialRoaming_Operational.evtx + wevtutil epl Microsoft-Windows-CertPoleEng/Operational c:\MSLOG\%COMPUTERNAME%_CertPoleEng_Operational.evtx + ``` + - Run the following 3 lines on Windows 2012 and up + + ``` + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-System_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServicesClient-Lifecycle-User_Operational.evtx + wevtutil epl Microsoft-Windows-CertificateServices-Deployment/Operational c:\MSLOG\%COMPUTERNAME%_CertificateServices-Deployment_Operational.evtx + ``` + - Certificates store information + + ``` + certutil -v -silent -store MY > c:\MSLOG\%COMPUTERNAME%_cert-Personal-Registry.txt + certutil -v -silent -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-Registry.txt + certutil -v -silent -store -grouppolicy ROOT > c:\MSLOG\%COMPUTERNAME%_cert-TrustedRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_TrustedRootCA-Enterprise.txt + certutil -v -silent -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Reg.txt + certutil -v -silent -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -store -enterprise TRUST > c:\MSLOG\%COMPUTERNAME%_cert-EnterpriseTrust-Enterprise.txt + certutil -v -silent -store CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-Registry.txt + certutil -v -silent -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-IntermediateCA-GroupPolicy.txt + certutil -v -silent -store -enterprise CA > c:\MSLOG\%COMPUTERNAME%_cert-Intermediate-Enterprise.txt + certutil -v -silent -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Registry.txt + certutil -v -silent -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -store -enterprise AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-3rdPartyRootCA-Enterprise.txt + certutil -v -silent -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Registry.txt + certutil -v -silent -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -store -enterprise SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-SmartCardRoot-Enterprise.txt + certutil -v -silent -store -enterprise NTAUTH > c:\MSLOG\%COMPUTERNAME%_cert-NtAuth-Enterprise.txt + certutil -v -silent -user -store MY > c:\MSLOG\%COMPUTERNAME%_cert-User-Personal-Registry.txt + certutil -v -silent -user -store ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Registry.txt + certutil -v -silent -user -store -enterprise ROOT > c:\MSLOG\%COMPUTERNAME%_cert-User-TrustedRootCA-Enterprise.txt + certutil -v -silent -user -store TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-Registry.txt + certutil -v -silent -user -store -grouppolicy TRUST > c:\MSLOG\%COMPUTERNAME%_cert-User-EnterpriseTrust-GroupPolicy.txt + certutil -v -silent -user -store CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-Registry.txt + certutil -v -silent -user -store -grouppolicy CA > c:\MSLOG\%COMPUTERNAME%_cert-User-IntermediateCA-GroupPolicy.txt + certutil -v -silent -user -store Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-Registry.txt + certutil -v -silent -user -store -grouppolicy Disallowed > c:\MSLOG\%COMPUTERNAME%_cert-User-UntrustedCertificates-GroupPolicy.txt + certutil -v -silent -user -store AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-Registry.txt + certutil -v -silent -user -store -grouppolicy AuthRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-3rdPartyRootCA-GroupPolicy.txt + certutil -v -silent -user -store SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-Registry.txt + certutil -v -silent -user -store -grouppolicy SmartCardRoot > c:\MSLOG\%COMPUTERNAME%_cert-User-SmartCardRoot-GroupPolicy.txt + certutil -v -silent -user -store UserDS > c:\MSLOG\%COMPUTERNAME%_cert-User-UserDS.txt + ``` + - CA configuration information + + ``` + reg save HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.hiv + reg export HKLM\System\CurrentControlSet\Services\CertSvc c:\MSLOG\%COMPUTERNAME%_CertSvc.txt + reg save HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.hiv + reg export HKLM\SOFTWARE\Microsoft\Cryptography c:\MSLOG\%COMPUTERNAME%_Cryptography.tx + ``` +3. Copy the following files, if exist, to C:\MSLOG: %windir%\CAPolicy.inf +4. Log on to a domain controller and create C:\MSLOG to store captured logs. +5. Launch Windows PowerShell as an administrator. +6. Run the following PowerShell cmdlets. Replace the domain name in ";.. ,DC=test,DC=local"; with appropriate domain name. The example shows commands for ";test.local"; domain. + + ```powershell + Import-Module ActiveDirectory + Get-ADObject -SearchBase ";CN=Public Key Services,CN=Services,CN=Configuration,DC=test,DC=local"; -Filter \* -Properties \* | fl \* > C:\MSLOG\Get-ADObject_$Env:COMPUTERNAME.txt + ``` +7. Save the following logs. + - All files in C:\MSLOG on the CA + - All files in C:\MSLOG on the domain controller + diff --git a/windows/client-management/images/NPS_sidepacket_capture_data.png b/windows/client-management/images/NPS_sidepacket_capture_data.png new file mode 100644 index 0000000000..9d43a3ebed Binary files /dev/null and b/windows/client-management/images/NPS_sidepacket_capture_data.png differ diff --git a/windows/client-management/images/auditfailure.png b/windows/client-management/images/auditfailure.png new file mode 100644 index 0000000000..f235ad8148 Binary files /dev/null and b/windows/client-management/images/auditfailure.png differ diff --git a/windows/client-management/images/auditsuccess.png b/windows/client-management/images/auditsuccess.png new file mode 100644 index 0000000000..66ce98acb1 Binary files /dev/null and b/windows/client-management/images/auditsuccess.png differ diff --git a/windows/client-management/images/authenticator_flow_chart.png b/windows/client-management/images/authenticator_flow_chart.png new file mode 100644 index 0000000000..729895e60e Binary files /dev/null and b/windows/client-management/images/authenticator_flow_chart.png differ diff --git a/windows/client-management/images/boot-sequence-thumb.png b/windows/client-management/images/boot-sequence-thumb.png new file mode 100644 index 0000000000..164f9f9848 Binary files /dev/null and b/windows/client-management/images/boot-sequence-thumb.png differ diff --git a/windows/client-management/images/boot-sequence.png b/windows/client-management/images/boot-sequence.png new file mode 100644 index 0000000000..31e6dc34c9 Binary files /dev/null and b/windows/client-management/images/boot-sequence.png differ diff --git a/windows/client-management/images/check-disk.png b/windows/client-management/images/check-disk.png new file mode 100644 index 0000000000..2c5859470e Binary files /dev/null and b/windows/client-management/images/check-disk.png differ diff --git a/windows/client-management/images/clientsidepacket_cap_data.png b/windows/client-management/images/clientsidepacket_cap_data.png new file mode 100644 index 0000000000..b162d2e285 Binary files /dev/null and b/windows/client-management/images/clientsidepacket_cap_data.png differ diff --git a/windows/client-management/images/comparisontable.png b/windows/client-management/images/comparisontable.png new file mode 100644 index 0000000000..0f6781d93e Binary files /dev/null and b/windows/client-management/images/comparisontable.png differ diff --git a/windows/client-management/images/controlset.png b/windows/client-management/images/controlset.png new file mode 100644 index 0000000000..fe9d3c8820 Binary files /dev/null and b/windows/client-management/images/controlset.png differ diff --git a/windows/client-management/images/eappropertymenu.png b/windows/client-management/images/eappropertymenu.png new file mode 100644 index 0000000000..127d7a7e49 Binary files /dev/null and b/windows/client-management/images/eappropertymenu.png differ diff --git a/windows/client-management/images/eventviewer.png b/windows/client-management/images/eventviewer.png new file mode 100644 index 0000000000..76bbcd0650 Binary files /dev/null and b/windows/client-management/images/eventviewer.png differ diff --git a/windows/client-management/images/loadhive.png b/windows/client-management/images/loadhive.png new file mode 100644 index 0000000000..62c6643140 Binary files /dev/null and b/windows/client-management/images/loadhive.png differ diff --git a/windows/client-management/images/msmdetails.png b/windows/client-management/images/msmdetails.png new file mode 100644 index 0000000000..ad146b102e Binary files /dev/null and b/windows/client-management/images/msmdetails.png differ diff --git a/windows/client-management/images/pendingupdate.png b/windows/client-management/images/pendingupdate.png new file mode 100644 index 0000000000..19d8c9dec4 Binary files /dev/null and b/windows/client-management/images/pendingupdate.png differ diff --git a/windows/client-management/images/revertpending.png b/windows/client-management/images/revertpending.png new file mode 100644 index 0000000000..7b60c6446d Binary files /dev/null and b/windows/client-management/images/revertpending.png differ diff --git a/windows/client-management/images/rpc-error.png b/windows/client-management/images/rpc-error.png new file mode 100644 index 0000000000..0e0828522b Binary files /dev/null and b/windows/client-management/images/rpc-error.png differ diff --git a/windows/client-management/images/rpc-flow.png b/windows/client-management/images/rpc-flow.png new file mode 100644 index 0000000000..a3d9c13030 Binary files /dev/null and b/windows/client-management/images/rpc-flow.png differ diff --git a/windows/client-management/images/screenshot1.png b/windows/client-management/images/screenshot1.png new file mode 100644 index 0000000000..5138b41016 Binary files /dev/null and b/windows/client-management/images/screenshot1.png differ diff --git a/windows/client-management/images/sfc-scannow.png b/windows/client-management/images/sfc-scannow.png new file mode 100644 index 0000000000..1c079288a8 Binary files /dev/null and b/windows/client-management/images/sfc-scannow.png differ diff --git a/windows/client-management/images/tcp-ts-1.png b/windows/client-management/images/tcp-ts-1.png new file mode 100644 index 0000000000..621235d5b3 Binary files /dev/null and b/windows/client-management/images/tcp-ts-1.png differ diff --git a/windows/client-management/images/tcp-ts-10.png b/windows/client-management/images/tcp-ts-10.png new file mode 100644 index 0000000000..7bf332b57a Binary files /dev/null and b/windows/client-management/images/tcp-ts-10.png differ diff --git a/windows/client-management/images/tcp-ts-11.png b/windows/client-management/images/tcp-ts-11.png new file mode 100644 index 0000000000..75b0361f89 Binary files /dev/null and b/windows/client-management/images/tcp-ts-11.png differ diff --git a/windows/client-management/images/tcp-ts-12.png b/windows/client-management/images/tcp-ts-12.png new file mode 100644 index 0000000000..592ccf0e76 Binary files /dev/null and b/windows/client-management/images/tcp-ts-12.png differ diff --git a/windows/client-management/images/tcp-ts-13.png b/windows/client-management/images/tcp-ts-13.png new file mode 100644 index 0000000000..da6157c72a Binary files /dev/null and b/windows/client-management/images/tcp-ts-13.png differ diff --git a/windows/client-management/images/tcp-ts-14.png b/windows/client-management/images/tcp-ts-14.png new file mode 100644 index 0000000000..f3a3cc4a35 Binary files /dev/null and b/windows/client-management/images/tcp-ts-14.png differ diff --git a/windows/client-management/images/tcp-ts-15.png b/windows/client-management/images/tcp-ts-15.png new file mode 100644 index 0000000000..e3e161317f Binary files /dev/null and b/windows/client-management/images/tcp-ts-15.png differ diff --git a/windows/client-management/images/tcp-ts-16.png b/windows/client-management/images/tcp-ts-16.png new file mode 100644 index 0000000000..52a5e24e2b Binary files /dev/null and b/windows/client-management/images/tcp-ts-16.png differ diff --git a/windows/client-management/images/tcp-ts-17.png b/windows/client-management/images/tcp-ts-17.png new file mode 100644 index 0000000000..e690bbdf1c Binary files /dev/null and b/windows/client-management/images/tcp-ts-17.png differ diff --git a/windows/client-management/images/tcp-ts-18.png b/windows/client-management/images/tcp-ts-18.png new file mode 100644 index 0000000000..95cf36dbe7 Binary files /dev/null and b/windows/client-management/images/tcp-ts-18.png differ diff --git a/windows/client-management/images/tcp-ts-19.png b/windows/client-management/images/tcp-ts-19.png new file mode 100644 index 0000000000..4f2d239e57 Binary files /dev/null and b/windows/client-management/images/tcp-ts-19.png differ diff --git a/windows/client-management/images/tcp-ts-2.png b/windows/client-management/images/tcp-ts-2.png new file mode 100644 index 0000000000..cdaada6cb6 Binary files /dev/null and b/windows/client-management/images/tcp-ts-2.png differ diff --git a/windows/client-management/images/tcp-ts-20.png b/windows/client-management/images/tcp-ts-20.png new file mode 100644 index 0000000000..9b3c573f7e Binary files /dev/null and b/windows/client-management/images/tcp-ts-20.png differ diff --git a/windows/client-management/images/tcp-ts-21.png b/windows/client-management/images/tcp-ts-21.png new file mode 100644 index 0000000000..1e29a2061e Binary files /dev/null and b/windows/client-management/images/tcp-ts-21.png differ diff --git a/windows/client-management/images/tcp-ts-22.png b/windows/client-management/images/tcp-ts-22.png new file mode 100644 index 0000000000..c49dcd72ee Binary files /dev/null and b/windows/client-management/images/tcp-ts-22.png differ diff --git a/windows/client-management/images/tcp-ts-23.png b/windows/client-management/images/tcp-ts-23.png new file mode 100644 index 0000000000..16ef4604c1 Binary files /dev/null and b/windows/client-management/images/tcp-ts-23.png differ diff --git a/windows/client-management/images/tcp-ts-24.png b/windows/client-management/images/tcp-ts-24.png new file mode 100644 index 0000000000..14ae950076 Binary files /dev/null and b/windows/client-management/images/tcp-ts-24.png differ diff --git a/windows/client-management/images/tcp-ts-25.png b/windows/client-management/images/tcp-ts-25.png new file mode 100644 index 0000000000..21e8b97a08 Binary files /dev/null and b/windows/client-management/images/tcp-ts-25.png differ diff --git a/windows/client-management/images/tcp-ts-3.png b/windows/client-management/images/tcp-ts-3.png new file mode 100644 index 0000000000..ce3072c95e Binary files /dev/null and b/windows/client-management/images/tcp-ts-3.png differ diff --git a/windows/client-management/images/tcp-ts-4.png b/windows/client-management/images/tcp-ts-4.png new file mode 100644 index 0000000000..73bc5f90be Binary files /dev/null and b/windows/client-management/images/tcp-ts-4.png differ diff --git a/windows/client-management/images/tcp-ts-5.png b/windows/client-management/images/tcp-ts-5.png new file mode 100644 index 0000000000..ee64c96da0 Binary files /dev/null and b/windows/client-management/images/tcp-ts-5.png differ diff --git a/windows/client-management/images/tcp-ts-6.png b/windows/client-management/images/tcp-ts-6.png new file mode 100644 index 0000000000..8db75fdb08 Binary files /dev/null and b/windows/client-management/images/tcp-ts-6.png differ diff --git a/windows/client-management/images/tcp-ts-7.png b/windows/client-management/images/tcp-ts-7.png new file mode 100644 index 0000000000..4b61bf7e36 Binary files /dev/null and b/windows/client-management/images/tcp-ts-7.png differ diff --git a/windows/client-management/images/tcp-ts-8.png b/windows/client-management/images/tcp-ts-8.png new file mode 100644 index 0000000000..f0ef8300ba Binary files /dev/null and b/windows/client-management/images/tcp-ts-8.png differ diff --git a/windows/client-management/images/tcp-ts-9.png b/windows/client-management/images/tcp-ts-9.png new file mode 100644 index 0000000000..dba375fd65 Binary files /dev/null and b/windows/client-management/images/tcp-ts-9.png differ diff --git a/windows/client-management/images/unloadhive.png b/windows/client-management/images/unloadhive.png new file mode 100644 index 0000000000..e8eb2f859e Binary files /dev/null and b/windows/client-management/images/unloadhive.png differ diff --git a/windows/client-management/images/unloadhive1.png b/windows/client-management/images/unloadhive1.png new file mode 100644 index 0000000000..3b269f294c Binary files /dev/null and b/windows/client-management/images/unloadhive1.png differ diff --git a/windows/client-management/images/wifi.txt b/windows/client-management/images/wifi.txt new file mode 100644 index 0000000000..c35240c56c --- /dev/null +++ b/windows/client-management/images/wifi.txt @@ -0,0 +1,31 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/windows/client-management/images/wifistackcomponents.png b/windows/client-management/images/wifistackcomponents.png new file mode 100644 index 0000000000..7971a3d9bf Binary files /dev/null and b/windows/client-management/images/wifistackcomponents.png differ diff --git a/windows/client-management/images/wiredautoconfig.png b/windows/client-management/images/wiredautoconfig.png new file mode 100644 index 0000000000..cede26ce74 Binary files /dev/null and b/windows/client-management/images/wiredautoconfig.png differ diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md new file mode 100644 index 0000000000..ca385d841a --- /dev/null +++ b/windows/client-management/img-boot-sequence.md @@ -0,0 +1,11 @@ +--- +description: A full-sized view of the boot sequence flowchart. +title: Boot sequence flowchart +ms.date: 11/16/2018 +--- + +Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
    + + +![Full-sized boot sequence flowchart](images/boot-sequence.png) + diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md index b51971615e..7b80381b7c 100644 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ b/windows/client-management/manage-settings-app-with-group-policy.md @@ -8,11 +8,28 @@ author: brianlic-msft ms.date: 04/19/2017 --- +**Applies to** + +- Windows 10, Windows Server 2016 + + # Manage the Settings app with Group Policy -Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. +To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. -This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. +>[!Note] +>Each server that you want to manage access to the Settings App must be patched. + +To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management. + +This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. + +Policy paths: + +**Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. + +**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. ![Settings page visibility policy](images/settings-page-visibility-gp.png) @@ -21,7 +38,7 @@ This policy is available at **Computer Configuration** > **Administrative Templa The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon delimited list of URIs in **Settings Page Visiblity**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). >[!NOTE] -> When you specify the URI in the Settings Page Visbility textbox, don't include **ms-settings:** in the string. +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. Here are some examples: diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index ec81e086de..8581c76291 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -49,7 +49,7 @@ As indicated in the diagram, Microsoft continues to provide support for deep man With Windows 10, you can continue to use traditional OS deployment, but you can also “manage out of the box.” To transform new devices into fully-configured, fully-managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot] (https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). +- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management services such as [Microsoft Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) or [Microsoft Intune](https://docs.microsoft.com/intune/understand-explore/introduction-to-microsoft-intune). - Create self-contained provisioning packages built with the [Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). @@ -119,18 +119,18 @@ There are a variety of steps you can take to begin the process of modernizing de **Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-gp) +**Take incremental steps.** Moving towards modern device management doesn’t have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this “managed diversity,” users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. Starting with Windows 10, version 1803, the new policy [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-mdmwinsovergp) was added to allow MDM policies to take precedence over GP when both GP and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your GP environment. Here is the list of MDM policies with equivalent GP - [Policies supported by GP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#policies-supported-by-gp) **Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Starting with Configuration Manager 1710, co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. See these topics for details: -- [Co-management for Windows 10 devices](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview) -- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-prepare) -- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-switch-workloads) -- [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-dashboard) +- [Co-management for Windows 10 devices](https://docs.microsoft.com/sccm/core/clients/manage/co-management-overview) +- [Prepare Windows 10 devices for co-management](https://docs.microsoft.com/sccm/core/clients/manage/co-management-prepare) +- [Switch Configuration Manager workloads to Intune](https://docs.microsoft.com/sccm/core/clients/manage/co-management-switch-workloads) +- [Co-management dashboard in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/co-management-dashboard) ## Related topics -- [What is Intune?](https://docs.microsoft.com/en-us/intune/introduction-intune) -- [Windows 10 Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider) -- [Windows 10 Configuration service Providers](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference) +- [What is Intune?](https://docs.microsoft.com/intune/introduction-intune) +- [Windows 10 Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) +- [Windows 10 Configuration service Providers](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference) diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 01387c62d6..0a91b0f2ad 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.author: jdecker -ms.date: 08/28/2018 +ms.date: 10/02/2018 --- # Create mandatory user profiles @@ -39,7 +39,7 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 8 | Windows Server 2012 | v3 | | Windows 8.1 | Windows Server 2012 R2 | v4 | | Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, versions 1607, 1703, 1709, and 1803 | Windows Server 2016 | v6 | +| Windows 10, versions 1607, 1703, 1709, 1803, and 1809 | Windows Server 2016 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). @@ -61,22 +61,11 @@ First, you create a default user profile with the customizations that you want, 3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -3. For devices running Windows 10, use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) cmdlet in Windows PowerShell to uninstall the following applications: - - - Microsoft.windowscommunicationsapps_8wekyb3d8bbwe - - Microsoft.BingWeather_8wekyb3d8bbwe - - Microsoft.DesktopAppInstaller_8wekyb3d8bbwe - - Microsoft.Getstarted_8wekyb3d8bbwe - - Microsoft.Windows.Photos_8wekyb3d8bbwe - - Microsoft.WindowsCamera_8wekyb3d8bbwe - - Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe - - Microsoft.WindowsStore_8wekyb3d8bbwe - - Microsoft.XboxApp_8wekyb3d8bbwe - - Microsoft.XboxIdentityProvider_8wekyb3d8bbwe - - Microsoft.ZuneMusic_8wekyb3d8bbwe +3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). + >[!NOTE] - >Uninstalling these apps will decrease sign-in time. If your deployment needs any of these apps, you can leave them installed. + >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. 3. At a command prompt, type the following command and press **ENTER**. @@ -89,7 +78,7 @@ First, you create a default user profile with the customizations that you want, >![Microsoft Bing Translator package](images/sysprep-error.png) - >Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/en-us/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + >Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. 5. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 10bf5bf5c8..07e2cb8f96 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -6,7 +6,7 @@ ### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### [On-premises authentication device enrollment](on-premise-authentication-device-enrollment.md) ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md) ## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md) ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) @@ -17,7 +17,7 @@ ### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) ### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md) ## [Enterprise app management](enterprise-app-management.md) -## [Device update management](device-update-management.md) +## [Mobile device management (MDM) for device updates](device-update-management.md) ## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md) ## [Management tool for the Microsoft Store for Business](management-tool-for-windows-store-for-business.md) ### [REST API reference for Microsoft Store for Business](rest-api-reference-windows-store-for-business.md) @@ -225,7 +225,6 @@ #### [LanmanWorkstation](policy-csp-lanmanworkstation.md) #### [Licensing](policy-csp-licensing.md) #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) -#### [Location](policy-csp-location.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) #### [Messaging](policy-csp-messaging.md) diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index a6e5b3ded3..c0bc44f76f 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -68,7 +68,7 @@ The XML below is for Windows 10, version 1803. - This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect. + This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%. Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect. diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index aed29f1f97..d77371ecc7 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -89,7 +89,7 @@ Required. A character string that specifies the location of the icon associated Supported operations are Get, Replace, and Add (cannot Add after the account is created). -The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. +The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. ***Account GUID*/AccountType** Required. A character string that specifies the account type. diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 8d960a68db..c9d931e3e6 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -587,7 +587,7 @@ The following list shows the apps that may be included in the inbox. Microsoft Frameworks ProductID = 00000000-0000-0000-0000-000000000000 -

    PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

    +

    PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

    @@ -851,7 +851,7 @@ The following example disables the calendar application. chr text/plain - <AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"><Deny><App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}"/></Deny></AppPolicy> + @@ -875,22 +875,22 @@ The following example blocks the usage of the map application. chr - <RuleCollection Type="Appx" EnforcementMode="Enabled"> - <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed Appx packages" Description="Allows members of the Everyone group to run Appx packages that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + + - <FilePublisherRule Id="fd686d83-a829-4351-8ff4-27c7de5755d2" Name="Deny Splash appmaps" Description="Deny members of the local Administrators group to run maps." UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - </RuleCollection> + @@ -915,22 +915,22 @@ The following example disables the Mixed Reality Portal. In the example, the **I text/plain - <RuleCollection Type="Appx" EnforcementMode="Enabled"> - <FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="0.0.0.0" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="d26da4e7-0b01-484d-a8d3-d5b5341b2d55" Name="Block Mixed Reality Portal" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.HolographicFirstRun" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - </RuleCollection>> + + + + + + + + + + + + + + + + > @@ -976,421 +976,421 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo chr -<RuleCollection Type="Appx" EnforcementMode="Enabled"> + - <FilePublisherRule Id="172B8ACE-AAF5-41FA-941A-93AEE126B4A9" Name="Default Rule to Deny ALL" Description="Deny all publisher" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="CN=*" ProductName="*" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="DDCD112F-E003-4874-8B3E-14CB23851D54" Name="Whitelist Settings splash app" Description="Allow Admins to run Settings." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="2A4E62D8-8809-4787-89F8-69D0F01654FB" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="757D94A8-C752-4013-9896-D46EF10925E9" Name="Whitelist Settings WorkOrSchool" Description="Allow Admins to run WorkOrSchool" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA562A" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="473BCE1A-94D2-4AE1-8CB1-064B0677CACB" Name="Whitelist WorkPlace AAD BrokerPlugin" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AAD.BrokerPlugin" BinaryName="*" > - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="E13EA64B-B0D3-4257-87F4-1B522D06EA03" Name="Whitelist Start" Description="Allow Admins to run Start." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5602" BinaryName="*" > - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="2898C4B2-4B37-4BFF-8F7B-16B377EDEA88" Name="Whitelist SettingsPageKeyboard" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5608" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="15BBA04F-3989-4FF7-9FEF-83C4DFDABA27" Name="Whitelist SettingsPageTimeRegion" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea560c" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="C3735CB1-060D-4D40-9708-6D33B98A7A2D" Name="Whitelist SettingsPagePCSystemBluetooth" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5620" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="AFACF5A3-2974-41EE-A31A-1486F593C145" Name="Whitelist SettingsPageNetworkAirplaneMode" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5621" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="7B02A339-9E77-4694-AF86-119265138129" Name="Whitelist SettingsPageNetworkWiFi" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5623" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="F912172F-9D83-46F5-8D6C-BA7AB17063BE" Name="Whitelist SettingsPageNetworkInternetSharing" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5629" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="67AE8001-4E49-442A-AD72-F837129ABF63" Name="Whitelist SettingsPageRestoreUpdate" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5640" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="7B65BCB2-4B1D-42B6-921B-B87F1474BDC5" Name="Whitelist SettingsPageKidsCorner" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5802" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="3964A53B-E131-4ED6-88DA-71FBDBE4E232" Name="Whitelist SettingsPageDrivingMode" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5804" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="99C4CD58-51A2-429A-B479-976ADB4EA757" Name="Whitelist SettingsPageTimeLanguage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5808" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="EBA3BCBE-4651-48CE-8F94-C5AC5D8F72FB" Name="Whitelist SettingsPageAppsCorner" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea580a" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="E16EABCC-46E7-4AB3-9F48-67FFF941BBDC" Name="Whitelist SettingsPagePhoneNfc" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="b0894dfd-4671-4bb9-bc17-a8b39947ffb6" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*"/> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> + + + + + + + - <FilePublisherRule Id="1F4C3904-9976-4FEE-A492-5708F14EABA5" Name="Whitelist MSA Cloud Experience Host" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CloudExperienceHost" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="AA741A28-7C02-49A5-AA5C-35D53FB8A9DC" Name="Whitelist Email and Accounts" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AccountsControl" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="863BE063-D134-4C5C-9825-9DF9A86B6B56" Name="Whitelist Calculator" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCalculator" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="1DA2F479-3D1D-4425-9FFA-D4E6908F945A" Name="Whitelist Alarms and Clock" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsAlarms" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="18E12372-21C6-4DA5-970E-0A58739D7151" Name="Whitelist People" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.People" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="FD686D83-A829-4351-8FF4-27C7DE5755D2" Name="Whitelist Camera" Description="Allow Admins to run camera." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCamera" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="16875F70-1778-43CC-96BB-783C9A8E53D5" Name="Whitelist WindowsMaps" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="D21D6F9D-CFF6-4AD1-867A-2411CE6A388D" Name="Whitelist FileExplorer" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="c5e2524a-ea46-4f67-841f-6a9465d9d515" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="450B6D7E-1738-41C9-9241-466C3FA4AB0C" Name="Whitelist FM Radio" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="F725010E-455D-4C09-AC48-BCDEF0D4B626" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="37F4272C-F4A0-4AB8-9B5F-C9194A0EC6F3" Name="Whitelist Microsoft Edge" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftEdge" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="253D3AEA-36C0-4877-B932-9E9C9493F3F3" Name="Whitelist Movies" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneVideo" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="9A73E081-01D1-4BFD-ADF4-5C29AD4031F7" Name="Whitelist Money" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingFinance" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="EE4BF66C-EBF0-4565-982C-922FFDCB2E6D" Name="Whitelist News" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingNews" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="D78E6A9D-10F8-4C23-B620-40B01B60E5EA" Name="Whitelist Onedrive" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="AD543082-80EC-45BB-AA02-FFE7F4182BA8" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="0012F35E-C242-47FF-A573-3DA06AF7E43C" Name="Whitelist Onedrive APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftSkydrive" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="178B0D68-3498-40CE-A0C3-295C6B3DA169" Name="Whitelist OneNote" Description="Allow Admins to run onenote." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.OneNote" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="673914E4-D73A-405D-8DCF-173E36EA6722" Name="Whitelist GetStarted" Description="Allow Admins to run onenote." UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Getstarted" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="4546BD28-69B6-4175-A44C-33197D48F658" Name="Whitelist Outlook Calendar" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="7B843572-E1AD-45E6-A1F2-C551C70E4A34" Name="Whitelist Outlook Mail" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="E5A1CD1A-8C23-41E4-AACF-BF82FCE775A5" Name="Whitelist Photos" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="0A194DD1-B25B-4512-8AFC-6F560D0EC205" Name="Whitelist PodCasts" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSPodcast" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="F5D27860-0238-4D1A-8011-9B8B263C3A33" Name="Whitelist SkypeApp" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="Microsoft.SkypeApp" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="B8BBC965-EC6D-4C16-AC68-C5F0090CB703" Name="Whitelist Store" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="6031E1E7-A659-4B3D-87FB-3CB4C900F9D2" Name="Whitelist Sports" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingSports" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="A6D61B56-7CF7-4E95-953C-3A5913309B4E" Name="Whitelist Wallet" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftWallet" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="A2C44744-0627-4A52-937E-E3EC1ED476E0" Name="Whitelist Weather" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingWeather" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="D79978B4-EFAE-4458-8FE1-0F13B5CE6764" Name="Whitelist Xbox" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxApp" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="395713B9-DD39-4741-8AB3-63D0A0DCA2B0" Name="Whitelist Xbox Identity Provider" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxIdentityProvider" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="7565A8BB-D50B-4237-A9E9-B0997B36BDF9" Name="Whitelist Voice recorder" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="409A286E-8C3D-48AB-9D7C-3225A48B30C9" Name="Whitelist Word" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Word" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="F72A5DA6-CA6A-4E7F-A350-AC9FACAB47DB" Name="Whitelist Excel" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Excel" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="169B3498-2A73-4D5C-8AFB-A0DE2908A07D" Name="Whitelist PowerPoint" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.PowerPoint" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="A483B662-3538-4D70-98A7-1312D51A0DB9" Name="Whitelist Contact Support" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Windows.ContactSupport" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="EAB1CEDC-DD8A-4311-9146-27A3C689DEAF" Name="Whitelist Cortana" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Cortana" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="01CD8E68-666B-4DE6-8849-7CE4F0C37CA8" Name="Whitelist Storage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA564D" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="15D9AD89-58BC-458E-9B96-3A18DA63AC3E" Name="Whitelist Groove Music" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneMusic" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="E2B71B03-D759-4AE2-8526-E1A0CE2801DE" Name="Whitelist Windows Feedback" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsFeedback" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="E7A30489-A20B-44C3-91A8-19D9F61A8B5B" Name="Whitelist Messaging and Messaging Video" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Messaging" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="D2A16D0C-8CC0-4C3A-9FB5-C1DB1B380CED" Name="Whitelist Phone splash" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5611" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="2A355478-7449-43CB-908A-A378AA59FBB9" Name="Whitelist Phone APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CommsPhone" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="89441630-7F1C-439B-8FFD-0BEEFF400C9B" Name="Whitelist Connect APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.DevicesFlow" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="E8AF01B5-7039-44F4-8072-6A6CC71EDF2E" Name="Whitelist Miracast APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="906BEEDA-B7E6-4DDC-BA8D-AD5031223EF9" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="DA02425B-0291-4A10-BE7E-B9C7922F4EDF" Name="Whitelist Print Dialog APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.PrintDialog" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="42919A05-347B-4A5F-ACB2-73710A2E6203" Name="Whitelist Block and Filter APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BlockandFilterglobal" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="6F3D8885-C15E-4D7E-8E1F-F2A560C08F9E" Name="Whitelist MSFacebook" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSFacebook" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + - <FilePublisherRule Id="5168A5C3-5DC9-46C1-87C0-65A9DE1B4D18" Name="Whitelist Advanced Info" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> - <Conditions> - <FilePublisherCondition PublisherName="*" ProductName="B6E3E590-9FA5-40C0-86AC-EF475DE98E88" BinaryName="*" /> - </Conditions> - </FilePublisherRule> + + + + + -</RuleCollection> + @@ -1689,119 +1689,119 @@ In this example, Contoso is the node name. We recommend using a GUID for this no chr - <RuleCollection Type="Exe" EnforcementMode="Enabled"> - <FilePublisherRule Id="b005eade-a5ee-4f5a-be45-d08fa557a4b2" Name="MICROSOFT OFFICE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="de9f3461-6856-405d-9624-a80ca701f6cb" Name="MICROSOFT OFFICE 2003, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2003" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="ade1b828-7055-47fc-99bc-432cf7d1209e" Name="2007 MICROSOFT OFFICE SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="2007 MICROSOFT OFFICE SYSTEM" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="f6a075b5-a5b5-4654-abd6-731dacb40d95" Name="MICROSOFT OFFICE ONENOTE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE ONENOTE" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="12.0.9999.9999" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="0ec03b2f-e9a4-4743-ae60-6d29886cf6ae" Name="MICROSOFT OFFICE OUTLOOK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE OUTLOOK" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="12.0.9999.9999" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="7b272efd-4105-4fb7-9d40-bfa597c6792a" Name="MICROSOFT OFFICE 2013, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2013" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - </FilePublisherRule> - <FilePublisherRule Id="89d8a4d3-f9e3-423a-92ae-86e7333e2662" Name="MICROSOFT ONENOTE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONENOTE" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - <Exceptions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONENOTE" BinaryName="ONENOTE.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - </Exceptions> - </FilePublisherRule> - <FilePublisherRule Id="5a2138bd-8042-4ec5-95b4-f990666fbf61" Name="MICROSOFT OUTLOOK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OUTLOOK" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - <Exceptions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OUTLOOK" BinaryName="OUTLOOK.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - </Exceptions> - </FilePublisherRule> - <FilePublisherRule Id="3fc5f9c5-f180-435b-838f-2960106a3860" Name="MICROSOFT ONEDRIVE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - <Exceptions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="ONEDRIVE.EXE"> - <BinaryVersionRange LowSection="17.3.6386.0412" HighSection="*" /> - </FilePublisherCondition> - </Exceptions> - </FilePublisherRule> - <FilePublisherRule Id="17d988ef-073e-4d92-b4bf-f477b2ecccb5" Name="MICROSOFT OFFICE 2016, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> - <Conditions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="*"> - <BinaryVersionRange LowSection="*" HighSection="*" /> - </FilePublisherCondition> - </Conditions> - <Exceptions> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="LYNC.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="LYNC99.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="UCMAPI.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="OCPUBMGR.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="WINWORD.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="EXCEL.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="POWERPNT.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="MSOSYNC.EXE"> - <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> - </FilePublisherCondition> - </Exceptions> - </FilePublisherRule> - </RuleCollection> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 62c91ca217..cd811d320d 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -19,7 +19,7 @@ ms.date: 06/26/2017 ### EnterpriseAppVManagement CSP node structure -[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) +[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) ![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) @@ -54,7 +54,7 @@ ms.date: 06/26/2017

    Dynamic policy examples:

    -[Dynamic configuration processing](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing) +[Dynamic configuration processing](https://technet.microsoft.com/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)

    AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

    @@ -83,9 +83,9 @@ ms.date: 06/26/2017

    A complete list of App-V policies can be found here:

    -[ADMX-backed policy reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed) +[ADMX-backed policy reference](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed) -[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) +[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) ### SyncML examples @@ -106,7 +106,7 @@ ms.date: 06/26/2017 ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient - <enabled/> + ``` @@ -126,14 +126,14 @@ ms.date: 06/26/2017 ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts - <enabled/> + ```

    Complete list of App-V policies can be found here:

    -[Policy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider) +[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider) #### SyncML with package published for a device (global to all users for that device) diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 961f686782..e6004a22a5 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 04/25/2018 +ms.date: 09/18/2018 --- # AssignedAccess CSP @@ -17,7 +17,7 @@ The AssignedAccess configuration service provider (CSP) is used to set the devic For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) - In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). + In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). > [!Warning] > You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups. @@ -33,7 +33,7 @@ The following diagram shows the AssignedAccess configuration service provider in Root node for the CSP. **./Device/Vendor/MSFT/AssignedAccess/KioskModeApp** -A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). +A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app). For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211) @@ -69,7 +69,7 @@ For a local account, the domain name should be the device name. When Get is exec The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. **./Device/Vendor/MSFT/AssignedAccess/Configuration** -Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). +Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd). > [!Note] > In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk. @@ -95,20 +95,41 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus. - |Status code | KioskModeAppRuntimeStatus | |---------|---------| | 1 | KioskModeAppRunning | | 2 | KioskModeAppNotFound | | 3 | KioskModeAppActivationFailure | +Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error. -Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error. +In Windows 10, version 1809, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes. + +|Status|Description| +|---|---| +|Running|The AssignedAccess account (kiosk or multi-app) is running normally.| +|AppNotFound|The kiosk app isn't deployed to the machine.| +|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.| +|AppNoResponse|The kiosk app launched successfully but is now unresponsive.| + +Note that status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus. + +|Status code|AssignedAccessRuntimeStatus| +|---|---| +|1|Running| +|2|AppNotFound| +|3|ActivationFailed| +|4|AppNoResponse| + +Additionally, the Status payload includes the following fields: + +- profileId: can be used by the MDM server to correlate which account caused the error. +- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist. Supported operation is Get. **./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** -Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher). +Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/windows-hardware/customize/enterprise/shell-launcher). > [!Note] > You cannot set both ShellLauncher and KioskModeApp at the same time on the device. @@ -1116,10 +1137,11 @@ ShellLauncherConfiguration Get - - - - + + + + + @@ -1129,19 +1151,35 @@ ShellLauncherConfiguration Get + + + + + + + + + + + + + + + + - + - + - + @@ -1149,7 +1187,7 @@ ShellLauncherConfiguration Get ## Windows Holographic for Business edition example -This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/en-us/hololens/hololens-provisioning). +This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/hololens/hololens-provisioning). ``` syntax @@ -1205,4 +1243,4 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index f8e1ed6025..8cc949f6b9 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -60,7 +60,7 @@ In the out-of-the-box scenario, the web view is 100% full screen, which gives th For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246). -Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. +Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. > **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. @@ -122,7 +122,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD. 6. Click **Add an application my organization is developing**. 7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**. 8. Enter the login URL for your MDM service. -9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK. +9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK. 10. While still in the Azure portal, click the **Configure** tab of your application. 11. Mark your application as **multi-tenant**. 12. Find the client ID value and copy it. @@ -400,7 +400,7 @@ Location: Example: HTTP/1.1 302 -Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E +Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Access%20is%20denied%2E ``` The following table shows the error codes. @@ -693,8 +693,8 @@ PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655c Authorization: Bearer eyJ0eXAiO……… Accept: application/json Content-Type: application/json -{ “isManaged”:true, - “isCompliant”:true +{ "isManaged":true, + "isCompliant":true } ``` diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 5925f48358..2e0b0840bd 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -6,9 +6,8 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/31/2018 +ms.date: 12/06/2018 --- - # BitLocker CSP > [!WARNING] @@ -795,13 +794,13 @@ The following diagram shows the BitLocker configuration service provider in tree **AllowWarningForOtherDiskEncryption** -

    Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

    +

    Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.

    > [!Important] -> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/en-us/windows/device-security/bitlocker/bitlocker-overview) for value 0. +> Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview). > [!Warning] -> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows. +> When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows. @@ -844,6 +843,16 @@ The following diagram shows the BitLocker configuration service provider in tree ``` +>[!NOTE] +>When you disable the warning prompt, the OS drive's recovery key will back up to the user's Azure Active Directory account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key. +> +>The endpoint for a fixed data drive's backup is chosen in the following order: + >1. The user's Windows Server Active Directory Domain Services account. + >2. The user's Azure Active Directory account. + >3. The user's personal OneDrive (MDM/MAM only). +> +>Encryption will wait until one of these three locations backs up successfully. + **AllowStandardUserEncryption** Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account. @@ -854,7 +863,7 @@ Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where pol If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system. -The expected values for this policy are: +The expected values for this policy are: - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user. - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index de3a4c2736..343ffbf2c3 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -33,7 +33,7 @@ The following diagram shows the BrowserFavorite configuration service provider i ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. -> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > | +> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > |   diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index fc0c578410..8aa018c18c 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -32,7 +32,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro >[!NOTE]   > - Bulk-join is not supported in Azure Active Directory Join. -> - Bulk enrollment does not work in Intune standalone enviroment. +> - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.   @@ -79,7 +79,7 @@ Using the ICD, create a provisioning package using the enrollment information re 12. Enter the values for your package and specify the package output location. ![enter package information](images/bulk-enrollment3.png) - ![enter additonal information for package information](images/bulk-enrollment4.png) + ![enter additional information for package information](images/bulk-enrollment4.png) ![specify file location](images/bulk-enrollment6.png) 13. Click **Build**. diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md index 6562fc73d0..680d7840ab 100644 --- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -187,7 +187,7 @@ The following snippet shows the policy web service response. ``` HTTP/1.1 200 OK Date: Fri, 03 Aug 2012 20:00:00 GMT -Server: +Server: Content-Type: application/soap+xml Content-Length: xxxx diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md index cde5940e24..aff0b23244 100644 --- a/windows/client-management/mdm/certificatestore-csp.md +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -194,7 +194,7 @@ Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 ce Supported operations are Get, Add, Delete, and Replace. **My/SCEP/*UniqueID*/Install/SubjectAlternativeNames** -Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *<nameformat1>*+*<actual name1>*;*<name format 2>*+*<actual name2>*. Value type is chr. +Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format **+**;**+**. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -299,7 +299,7 @@ For ROBO renewal failure, the client retries the renewal periodically until the For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. -The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer. +The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer. Supported operations are Add, Get, Delete, and Replace. diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 128a41801d..f3c9fd3fc3 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -2,18 +2,18 @@ title: ClientCertificateInstall CSP description: ClientCertificateInstall CSP ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 -ms.author: maricia +ms.author: pashort ms.topic: article ms.prod: w10 ms.technology: windows -author: MariciaAlforque -ms.date: 11/03/2017 +author: shortpatti +ms.date: 10/16/2018 --- # ClientCertificateInstall CSP -The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. +The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. @@ -90,7 +90,7 @@ The following image shows the ClientCertificateInstall configuration service pro

    Supported operations are Get, Add, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** -

    Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever. +

    Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.

    The data type is int. Valid values: diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 977dd79898..b5ef7a8349 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -168,7 +168,7 @@ Supported operations are Get, Add, Replace If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate -CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx +CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/library/windows/desktop/aa381414(v=vs.85).aspx @@ -626,7 +626,7 @@ Supported operations are Get, Add, Delete noreplace 3 - Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. + Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 350ea6ad5e..dfd6b9d464 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -15,7 +15,7 @@ ms.date: 08/27/2018 A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. -For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/dn905224). For CSP DDF files, see [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). +For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224). For CSP DDF files, see [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). Additional lists: @@ -2744,11 +2744,17 @@ The following list shows the configuration service providers supported in Window - [DMAcc CSP](dmacc-csp.md) - [DMClient CSP](dmclient-csp.md) - [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) - [Policy CSP](policy-configuration-service-provider.md) - [Provisioning CSP (Provisioning only)](provisioning-csp.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) 1 - [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) - [Update CSP](update-csp.md) - [VPNv2 CSP](vpnv2-csp.md) - [WiFi CSP](wifi-csp.md) - + Footnotes: +- 1 - Added in Windows 10, version 1809 diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md index e9e64f8c54..8604379b77 100644 --- a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -33,7 +33,7 @@ To write a custom configuration service provider, the OEM must implement the fol - [ICSPValidate](icspvalidate.md) (optional, for UI only) -This code must be compiled into a single .dll file and added to a package by using the instructions found in "Adding content to a package" in [Creating packages](https://msdn.microsoft.com/en-us/library/windows/hardware/dn756642). While writing this code, OEMs can store registry settings and files in the following locations. +This code must be compiled into a single .dll file and added to a package by using the instructions found in "Adding content to a package" in [Creating packages](https://msdn.microsoft.com/library/windows/hardware/dn756642). While writing this code, OEMs can store registry settings and files in the following locations.

    diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index f8e2889036..0d91af34b6 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -12,7 +12,7 @@ ms.date: 06/26/2018 # DeveloperSetup CSP -The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. +The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. > [!NOTE] The DeveloperSetup configuration service provider (CSP) is only supported in Windows 10 Holographic Enterprise edition and with runtime provisioning via provisioning packages. It is not supported in MDM. diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 84e3a07225..82cf5ef7d9 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -1,5 +1,5 @@ --- -title: Device update management +title: Mobile device management MDM for device updates description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 keywords: mdm,management,administrator @@ -12,7 +12,7 @@ ms.date: 11/15/2017 --- -# Device update management +# Mobile device management (MDM) for device updates >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index a0cec11bb0..699a3d4489 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -32,7 +32,7 @@ To help diagnose enrollment or device management issues in Windows 10 devices m Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: -- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider +- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider Here's a screenshot: @@ -138,7 +138,7 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi ![field medic screenshot](images/diagnose-mdm-failures5.png) 7. Save the logs. They will be stored in the Field Medic log location on the device. -8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder. +8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder. ![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png) diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index 4fb7edff7c..97ae506323 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -25,7 +25,7 @@ The content below are the latest versions of the DDF files: ## DiagnosticLog CSP version 1.2 -``` syntax +```xml 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. @@ -634,7 +634,7 @@ The content below are the latest versions of the DDF files: ## DiagnosticLog CSP version 1.3 -``` syntax +```xml 4 - This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + This node is used for setting or getting the block size (in Kilobytes) for the download of associated log file. The value range is 1~16. Default value is 4. diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 4d3c1904a5..d794478a6f 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -71,8 +71,8 @@ The following sample shows an OMA DM first package that contains a generic alert 1226 - com.microsoft:mdm.unenrollment.userrequest - int + com.microsoft:mdm.unenrollment.userrequest + int 1 diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md index f035ff93d4..09918702d2 100644 --- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -23,7 +23,7 @@ ms.date: 06/26/2017 # DMProcessConfigXMLFiltered function > **Important**   -The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/en-us/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. +The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios. diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 4d50badd48..710e19855a 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -93,8 +93,8 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me text/plainchr - <SyncML> - <SyncBody><Replace><CmdID>1001</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace><Final/></SyncBody></SyncML> + + 1001./Vendor/MSFT/Policy/Config/Experience/AllowCortanaint0 @@ -108,15 +108,15 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me chr - <rule schemaVersion="1.0"> + - <and> - <signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/> - <signal type="time"> - <daily startTime="09:00:00" endTime="17:00:00"/> - </signal> - </and> - </rule> + + + + + + + @@ -147,31 +147,31 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew text/plainchr - <SyncML> - <SyncBody><Replace><CmdID>1002</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace> <Final/></SyncBody></SyncML> + + 1002./Vendor/MSFT/Policy/Config/Camera/AllowCameraint0 301 - ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /SignalDefinition + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SignalDefinition text/plain chr - <rule schemaVersion="1.0"> - <and> - <signal type="ipConfig"> - <ipv4Gateway>192.168.0.1</ipv4Gateway> - </signal> - <signal type="time"> - <daily startTime="09:00:00" endTime="17:00:00"/> - </signal> - </and> - </rule> + + + + 192.168.0.1 + + + + + + @@ -179,7 +179,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew 302 - ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /Altitude + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/Altitude int diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 4c66aef7db..38dc886b20 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -124,7 +124,7 @@ A production ready deployment must have the appropriate certificate details as p EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For Wi-Fi, look for the section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. - For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. For information about EAP Settings, see diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index dce5177a0f..e54767ae8b 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -302,7 +302,7 @@ Value is one of the following: When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored). -For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the <LocURI></LocURI> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials: +For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the \\ block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials: - The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index acb4952dea..fb26b71e0c 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -70,7 +70,7 @@ Summary of steps to enable a policy: ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient - <Enabled/> + @@ -270,7 +270,7 @@ The \ payload is \. Here is an example to disable AppVirtualiza ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 - <disabled/> + diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 010ca41cad..65b730f7d4 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -17,9 +17,10 @@ Requirements: - AD-joined PC running Windows 10, version 1709 - Enterprise has MDM service already configured - Enterprise AD must be registered with Azure AD +- Device should not already be enrolled in Intune using the classic agents (devices manged using agents will fail enrollment with error 0x80180026) > [!Tip] -> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) +> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line. @@ -30,7 +31,7 @@ Here is a partial screenshot of the result: The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. > [!Note] -> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. @@ -114,8 +115,8 @@ Requirements: ### Related topics -- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx) -- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx) -- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx) -- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx) -- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx) +- [Group Policy Management Console](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx) +- [Create and Edit a Group Policy Object](https://technet.microsoft.com/library/cc754740(v=ws.11).aspx) +- [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx) +- [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx) +- [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx) diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 006a9353a2..5b6097fb0f 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -117,7 +117,7 @@ The following diagram shows the EnterpriseAppVManagement configuration service p

    Used to perform App-V synchronization.

    **AppVPublishing/Sync/PublishXML** -

    Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](https://msdn.microsoft.com/en-us/library/mt739986.aspx).

    +

    Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](https://msdn.microsoft.com/library/mt739986.aspx).

    Supported operations are Get, Delete, and Execute.

    diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 58bdfc9908..1497a04465 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -18,7 +18,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra > **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. -To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). +To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. @@ -40,7 +40,7 @@ Supported operations are Add, Delete, Get and Replace. The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML. > [!Important]    -> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability. +> When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as \< instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability. When using the AssignedAccessXml in a provisioning package using the Windows Configuration Designer tool, do not use escaped characters. @@ -51,8 +51,8 @@ ActionCenter | Example: `` ActionCenter | In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled; **AboveLock/AllowActionCenterNotifications** and **AboveLock/AllowToasts**. For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md) ActionCenter | You can also add the following optional attributes to the ActionCenter element to override the default behavior: **aboveLockToastEnabled** and **actionCenterNotificationEnabled**. Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled). In this example, the Action Center is enabled and both policies are disabled.: `` ActionCenter | These optional attributes are independent of each other. In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set. `` -StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. -StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` +StartScreenSize | Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions. Valid values: **Small** - sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx. **Large** - sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx. +StartScreenSize | If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4. Example: `Large` Application | Provide the product ID for each app that will be available on the device. You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid). Application | To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface. Example: `` Application | modern app notification @@ -105,7 +105,7 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.m Entry | Description ----------- | ------------ -Folder | A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. +Folder | A folder should be contained in node among with other nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. Folder example: ``` syntax @@ -246,7 +246,7 @@ Entry | Description ----------- | ------------ Settings | Starting in Windows 10, version 1703, you can specify the settings pages using the settings URI. -For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/en-us/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page. +For example, in place of SettingPageDisplay, you would use ms-settings:display. See [ms-settings: URI scheme reference](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to find the URI for each settings page. Here is an example for Windows 10, version 1703. @@ -403,7 +403,7 @@ The Search and custom buttons can be remapped or configured to open a s > > Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role. -To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. +To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. ``` syntax @@ -1199,7 +1199,7 @@ The following example shows how to add a new policy.             +            value=""/>       @@ -1237,7 +1237,7 @@ The following example shows how to lock down a device. ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml - <?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="2"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /><Button name="Search" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown> +     - + - + - + - + -
    Update channel Primary purposeLOB Tatoo availabilityLOB Tattoo availability Default update channel for the products
    [Current channel](https://technet.microsoft.com/en-us/library/mt455210.aspx#BKMK_CB)[Current channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_CB) Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017

    Visio Pro for Office 365

    @@ -157,15 +157,15 @@ We have updated Skype for Business to work with MAM. The following table explain

    Office 365 Business (the version of Office that comes with some Office 365 plans, such as Business Premium.)
    [Deferred channel](https://technet.microsoft.com/en-us/library/mt455210.aspx#BKMK_CBB)[Deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_CBB) Provide users with new features of Office only a few times a year. October 10 2017 Office 365 ProPlus
    [First release for deferred channel](https://technet.microsoft.com/en-us/library/mt455210.aspx#BKMK_FRCBB)[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB) Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017
    \ No newline at end of file + diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index b149873eb6..eb70f310ec 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: jdeckerms -ms.date: 09/12/2018 +ms.date: 10/09/2018 --- # Mobile device management @@ -23,7 +23,27 @@ There are two parts to the Windows 10 management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). + +## MDM security baseline + +With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices. + +>[!NOTE] +>Intune support for the MDM security baseline is coming soon. + +The MDM security baseline includes policies that cover the following areas: + +- Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall +- Restricting remote access to devices +- Setting credential requirements for passwords and PINs +- Restricting use of legacy technology +- Legacy technology policies that offer alternative solutions with modern technology +- And much more + +For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [MDM Security baseline (Preview) for Windows 10, version 1809](http://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip). + + ## Learn about migrating to MDM @@ -44,7 +64,7 @@ When an organization wants to move to MDM to manage devices, they should prepare - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) - [Enterprise app management](enterprise-app-management.md) -- [Device update management](device-update-management.md) +- [Mobile device management (MDM) for device updates](device-update-management.md) - [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md) - [OMA DM protocol support](oma-dm-protocol-support.md) - [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md index 22cbf8519f..1c0fd67bf1 100644 --- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -123,7 +123,7 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The Here are the details for requesting an authorization token: -- Login Authority = https://login.windows.net/<TargetTenantId> +- Login Authority = https://login.windows.net/\ - Resource/audience\* = https://onestore.microsoft.com - ClientId = your AAD application client id - ClientSecret = your AAD application client secret/key diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 879a44bf9b..4d9e65932e 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/27/2018 +ms.date: 12/06/2018 --- # What's new in MDM enrollment and management @@ -928,7 +928,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s -The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx) +The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx)

    The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

    • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
      • @@ -1255,7 +1255,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
    • WindowsDefenderSecurityCenter/HideSecureBoot
    • WindowsDefenderSecurityCenter/HideTPMTroubleshooting
    -

    Security/RequireDeviceEncrption - updated to show it is supported in desktop.

    +

    Security/RequireDeviceEncryption - updated to show it is supported in desktop.

    [BitLocker CSP](bitlocker-csp.md) @@ -1405,7 +1405,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
    • -
  • DeviceGuard/EnableSystemGuard
    • +
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • @@ -1760,11 +1760,18 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### December 2018 + +|New or updated topic | Description| +|--- | ---| +|[BitLocker CSP](bitlocker-csp.md)|Updated AllowWarningForOtherDiskEncryption policy description to describe silent and non-silent encryption scenarios, as well as where and how the recovery key is backed up for each scenario.| + ### September 2018 -New or updated topic | Description ---- | --- -[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT). +|New or updated topic | Description| +|--- | ---| +|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).| +|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.| ### August 2018 @@ -1912,7 +1919,7 @@ New or updated topic | Description
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
    • -
  • DeviceGuard/EnableSystemGuard
    • +
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
    • @@ -2334,7 +2341,7 @@ New or updated topic | Description
  • Settings/AllowOnlineTips
  • System/DisableEnterpriseAuthProxy
    • -

    Security/RequireDeviceEncrption - updated to show it is supported in desktop.

    +

    Security/RequireDeviceEncryption - updated to show it is supported in desktop.

    [BitLocker CSP](bitlocker-csp.md) @@ -2512,7 +2519,7 @@ New or updated topic | Description

    Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

    -The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx) +The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/library/mt221945.aspx)

    The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:

    • UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
      • diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 7c55d4f21c..28bcf637f6 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -334,7 +334,7 @@ A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/Expect A Get operation on the ChangedNodesData returns an encoded XML. Here is example: ```syntax -<Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes> +U09NRU5FV1ZBTFVF ``` It represents this: diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 0570cae0e3..cfaec14999 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -14,7 +14,7 @@ ms.date: 08/15/2018 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). +The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). This CSP was added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md index 4649e684c3..6431b3c083 100644 --- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -1,6 +1,6 @@ --- -title: On-premise authentication device enrollment -description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. +title: On-premises authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 ms.author: maricia ms.topic: article @@ -10,16 +10,17 @@ author: MariciaAlforque ms.date: 06/26/2017 --- -# On-premise authentication device enrollment +# On-premises authentication device enrollment - -This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). ## In this topic -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) +- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) + - [In this topic](#in-this-topic) + - [Discovery service](#discovery-service) + - [Enrollment policy web service](#enrollment-policy-web-service) + - [Enrollment web service](#enrollment-web-service) For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). @@ -27,9 +28,9 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). -> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +>[!NOTE] +>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. -  The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc The first request is a standard HTTP GET request. @@ -126,9 +127,9 @@ The discovery response is in the XML format and includes the following fields: - Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. - Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following example shows a response received from the discovery web service for OnPremise authentication: ``` syntax @@ -211,9 +212,9 @@ After the user is authenticated, the web service retrieves the certificate templ MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. +>[!NOTE] +>The HTTP server response must not be chunked; it must be sent as one message. -  The following snippet shows the policy web service response. ``` syntax @@ -303,9 +304,9 @@ The RequestSecurityToken will use a custom TokenType (http://schema The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. +>[!NOTE] +>The policy service and the enrollment service must be on the same server; that is, they must have the same host name. -  The following example shows the enrollment web service request for OnPremise authentication. ``` syntax @@ -514,12 +515,4 @@ The following example shows the encoded provisioning XML. -``` - -  - - - - - - +``` \ No newline at end of file diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 4b08386596..7bc515edc2 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/26/2018 +ms.date: 10/31/2018 --- # PassportForWork CSP @@ -212,7 +212,7 @@ Node for defining biometric settings. This node was added in Windows 10, versi **Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. -Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. +Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 6f65055513..79bf2a8409 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -21,7 +21,7 @@ Looking for the DDF XML files? See [CSP DDF files download](configuration-servic The XML below is for Windows 10, version 1809. -``` syntax +```xml False - Enables/Disables Dyanamic Lock + Enables/Disables Dynamic Lock @@ -1304,4 +1304,4 @@ Note that enhanced anti-spoofing for Windows Hello face authentication is not re -``` \ No newline at end of file +``` diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index f636ec9c6d..b8eeef6c2d 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -100,7 +100,7 @@ The following diagram shows the Policy configuration service provider in tree fo

      Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md). > [!NOTE] -> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx). +> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/library/cc179097.aspx).

      ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}`. @@ -987,7 +987,7 @@ The following diagram shows the Policy configuration service provider in tree fo

      - DeviceGuard/EnableSystemGuard + DeviceGuard/ConfigureSystemGuardLaunch
      DeviceGuard/EnableVirtualizationBasedSecurity @@ -2280,13 +2280,7 @@ The following diagram shows the Policy configuration service provider in tree fo
      -### Location policies -
      -
      - Location/EnableLocation -
      -
      ### LockDown policies @@ -4324,7 +4318,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) -- [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard) +- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) - [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) - [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) - [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) @@ -4678,7 +4672,6 @@ The following diagram shows the Policy configuration service provider in tree fo - [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) - [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) - [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) -- [Location/EnableLocation](./policy-csp-location.md#location-enablelocation) - [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) - [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) - [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) @@ -5020,13 +5013,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength) - [Experience/AllowCortana](#experience-allowcortana) - [Experience/AllowManualMDMUnenrollment](#experience-allowmanualmdmunenrollment) -- [Privacy/AllowCrossDeviceClipboard](#privacy-allowcrossdeviceclipboard) - [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization) -- [Privacy/LetAppsAccessGazeInput](#privacy-letappsaccessgazeinput) -- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](#privacy-letappsaccessgazeinput-forceallowtheseapps) -- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](#privacy-letappsaccessgazeinput-forcedenytheseapps) -- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](#privacy-letappsaccessgazeinput-userincontroloftheseapps) -- [Privacy/UploadUserActivities](#privacy-uploaduseractivities) - [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation) - [Security/RequireDeviceEncryption](#security-requiredeviceencryption) - [Settings/AllowDateTime](#settings-allowdatetime) @@ -5040,6 +5027,7 @@ The following diagram shows the Policy configuration service provider in tree fo - [Update/UpdateServiceUrl](#update-updateserviceurl) + ## Policies that can be set using Exchange Active Sync (EAS) diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 1c06c38801..c936dbc5db 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -1046,7 +1046,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 7578533727..5d622c650d 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -497,6 +497,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md index c9fdf5ff82..dfad46a493 100644 --- a/windows/client-management/mdm/policy-csp-bits.md +++ b/windows/client-management/mdm/policy-csp-bits.md @@ -498,7 +498,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index f73ed9e092..82eb7ed2c3 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/30/2018 +ms.date: 11/15/2018 --- # Policy CSP - Bluetooth @@ -352,15 +352,21 @@ Footnote: ## ServicesAllowedList usage guide -When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly define Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG). +When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG). -To define which profiles and services are allowed, enter the profile or service Universally Unique Identifiers (UUID) using semicolon delimiter. To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. +- Disabling a service shall block incoming and outgoing connections for such services +- Disabling a service shall not publish an SDP record containing the service being blocked +- Disabling a service shall not allow SDP to expose a record for a blocked service +- Disabling a service shall log when a service is blocked for auditing purposes +- Disabling a service shall take effect upon reload of the stack or system reboot + +To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website. These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID. Here are some examples: -**Bluetooth Headsets for Voice (HFP)** +**Example of how to enable Hands Free Profile (HFP)** BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB @@ -370,8 +376,22 @@ BASE_UUID = 0x00000000-0000-1000-8000-00805F9B34FB Footnote: * Used as both Service Class Identifier and Profile Identifier. -Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000111E-0000-1000-8000-00805F9B34FB +Hands Free Profile UUID = base UUID + 0x111E to the beginning = 0000**111E**-0000-1000-8000-00805F9B34FB +**Allow Audio Headsets (Voice)** + +|Profile|Reasoning|UUID| +|-|-|-| +|HFP (Hands Free Profile)|For voice-enabled headsets|0x111E| +|Generic Audio Service|Generic audio service|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|PnP Information|Used to identify devices occasionally|0x1200| + +This means that if you only want Bluetooth headsets, the UUIDs to include are: + +{0000111E-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} + + **Allow Audio Headsets and Speakers (Voice & Music)** |Profile |Reasoning |UUID | |---------|---------|---------| |HFP (Hands Free Profile) |For voice enabled headsets |0x111E | -|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110A | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|Device ID (DID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | +|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B| +|Generic Audio Service|Generic service used by Bluetooth|0x1203| +|Headset Service Class|For older voice-enabled headsets|0x1108| +|AV Remote Control Target Service|For controlling audio remotely|0x110C| +|AV Remote Control Service|For controlling audio remotely|0x110E| +|AV Remote Control Controller Service|For controlling audio remotely|0x110F| +|PnP Information|Used to identify devices occasionally|0x1200| -{0000111E-0000-1000-8000-00805F9B34FB};{0000110A-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; **Classic Keyboards and Mice** |Profile |Reasoning |UUID | |---------|---------|---------| |HID (Human Interface Device) |For classic BR/EDR keyboards and mice |0x1124 | -|GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | -|DID (Device ID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | +|PnP Information|Used to identify devices occasionally|0x1200| -{00001801-0000-1000-8000-00805F9B34FB};{00001812-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB}; -> [!Note] -> For both Classic and LE use a super set of the two formula’s UUIDs **LE Keyboards and Mice** |Profile |Reasoning |UUID | |---------|---------|---------| -|Generic Access Atribute |For the LE Protocol |0x1801 | +|Generic Access Attribute |For the LE Protocol |0x1801 | |HID Over GATT * |For LE keyboards and mice |0x1812 | |GAP (Generic Access Profile) |Generic service used by Bluetooth |0x1800 | |DID (Device ID) |Generic service used by Bluetooth |0x180A | @@ -433,10 +453,12 @@ Footnote: * The Surface pen uses the HID over GATT profile |---------|---------|---------| |OBEX Object Push (OPP) |For file transfer |0x1105 | |Object Exchange (OBEX) |Protocol for file transfer |0x0008 | -|Generic Access Profile (GAP) |Generic service used by Bluetooth |0x1800 | -|Device ID (DID) |Generic service used by Bluetooth |0x180A | -|Scan Parameters |Generic service used by Bluetooth |0x1813 | - -{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{0000111E-0000-1000-8000-00805F9B34FB};{00001800-0000-1000-8000-00805F9B34FB};{0000180A-0000-1000-8000-00805F9B34FB};{00001813-0000-1000-8000-00805F9B34FB} +|PnP Information|Used to identify devices occasionally|0x1200| +{00001105-0000-1000-8000-00805F9B34FB};{00000008-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB} +Disabling file transfer shall have the following effects +- Fsquirt shall not allow sending of files +- Fsquirt shall not allow receiving of files +- Fsquirt shall display error message informing user of policy preventing file transfer +- 3rd-party apps shall not be permitted to send or receive files using MSFT Bluetooth API diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index b31a602fc2..9397bb5aae 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.technology: windows author: shortpatti ms.author: pashort -ms.date: 08/08/2018 +ms.date: 10/02/2018 --- # Policy CSP - Browser @@ -873,7 +873,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)] @@ -1211,7 +1210,6 @@ To verify AllowPopups is set to 0 (not allowed): ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)] @@ -1280,7 +1278,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)] @@ -1350,7 +1347,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)] @@ -1549,7 +1545,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)] @@ -1688,7 +1683,6 @@ To verify AllowSmartScreen is set to 0 (not allowed): ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)] @@ -1757,7 +1751,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)] @@ -2029,7 +2022,6 @@ Most restricted value: 0 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)] @@ -2099,8 +2091,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)] @@ -2174,12 +2164,10 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)] -For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +For this policy to work, you must configure Microsoft Edge in assigned access; otherwise, Microsoft Edge ignores the settings in this policy. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). @@ -2252,12 +2240,11 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] -You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc). +You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access for this policy to take effect; otherwise, Microsoft Edge ignores this setting. To learn more about assigned access and kiosk configuration, see [Configure kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/windows/configuration/kiosk-shared-pc). @@ -2324,8 +2311,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] @@ -2407,8 +2392,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] @@ -2487,7 +2470,7 @@ Most restricted value: 0 > This policy has no effect when the Browser/HomePages policy is not configured.    > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). Most restricted value: 0 @@ -2632,7 +2615,7 @@ ADMX Info: Supported values: - 0 (default) - Turned off. Microsoft Edge does not check the Enterprise Mode Site List, and in this case, users might experience problems while using legacy apps. -- Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

      For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). +- 1 - Turned on. Microsoft Edge checks the Enterprise Mode Site List if configured. If an XML file exists in the cache container, IE11 waits 65 seconds and then checks the local cache for a new version from the server. If the server has a different version, Microsoft Edge uses the server file and stores it in the cache container. If you already use a site list, Enterprise Mode continues to work during the 65 second, but uses the existing file. To add the location to your site list, enter it in the {URI} box.

      For details on how to configure the Enterprise Mode Site List, see [Interoperability and enterprise guidance](https://docs.microsoft.com/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp). @@ -2781,7 +2764,7 @@ Starting with this version, the HomePages policy enforces that users cannot chan **Version 1703**
      If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL. -**Next Windows 10 major release**
      +**Version 1809**
      When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages your want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy. @@ -2970,7 +2953,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)] @@ -3555,7 +3537,7 @@ Most restricted value: 0 [!INCLUDE [set-default-search-engine-shortdesc](../../../browsers/edge/shortdesc/set-default-search-engine-shortdesc.md)] > [!IMPORTANT] -> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy). +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](https://docs.microsoft.com/legal/windows/agreements/microsoft-browser-extension-policy). Most restricted value: 0 @@ -3575,7 +3557,7 @@ Supported values: - Blank (default) - Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [AllowSearchEngineCustomization](https://review.docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser?branch=microsoft-edge-preview#browser-allowsearchenginecustomization) policy, users cannot make changes. - 0 - Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. -- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

      Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

      If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

      If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. +- 1 - Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.

      Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.

      If you want users to use the default Microsoft Edge settings for each market, set the string to **EDGEDEFAULT**.

      If you want users to use Microsoft Bing as the default search engine, then set the string to **EDGEBING**. Most restricted value: 1 @@ -3620,8 +3602,6 @@ Most restricted value: 1 ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)] @@ -3689,8 +3669,6 @@ Supported values: ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* - [!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)] @@ -3897,7 +3875,6 @@ To verify that favorites are in synchronized between Internet Explorer and Micro ->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows* [!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)] @@ -3994,7 +3971,7 @@ Footnote: - 2 - Supported versions, version 1703. - 3 - Supported versions, version 1709. - 4 - Supported versions, version 1803. -- 5 - Added in the next major update to Windows of Windows 10. +- 5 - Supported versions, version 1809. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 78c970b208..23c0950c12 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 08/08/2018 +ms.date: 11/14/2018 --- # Policy CSP - Defender @@ -1040,7 +1040,7 @@ ADMX Info: Added in Windows 10, version 1709. This policy setting enables setting the state (Block/Audit/Off) for each Attack surface reduction (ASR) rule. Each ASR rule listed can be set to one of the following states (Block/Audit/Off). The ASR rule ID and state should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid ASR rule ID, while the value contains the status ID indicating the status of the rule. -For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). +For more information about ASR rule ID and status ID, see [Enable Attack Surface Reduction](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction). Value type is string. @@ -1366,7 +1366,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. -Added in Windows 10, version 1709. This policy setting allows user-specified applications to the guard my folders feature. Adding an allowed application means the guard my folders feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy setting allows user-specified applications to the controlled folder access feature. Adding an allowed application means the controlled folder access feature will allow the application to modify or delete content in certain folders such as My Documents. In most cases it will not be necessary to add entries. Windows Defender Antivirus will automatically detect and dynamically add applications that are friendly. Value type is string. Use the | as the substring separator. @@ -1421,7 +1421,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. -Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the guard my folders feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. +Added in Windows 10, version 1709. This policy settings allows adding user-specified folder locations to the controlled folder access feature. These folders will complement the system defined folders such as My Documents and My Pictures. The list of system folders will be displayed in the user interface and can not be changed. Value type is string. Use the | as the substring separator. @@ -1679,7 +1679,7 @@ ADMX Info: > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. -Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the guard my folders feature. The guard my folders feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. +Added in Windows 10, version 1709. This policy enables setting the state (On/Off/Audit) for the controlled folder access feature. The controlled folder access feature removes modify and delete permissions from untrusted applications to certain folders such as My Documents. Value type is integer and the range is 0 - 2. @@ -2760,7 +2760,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index 7c7ed13b63..95e6d74539 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -1566,7 +1566,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index cacbb2acc6..248f11d3fd 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/30/2018 +ms.date: 09/20/2018 --- # Policy CSP - DeviceGuard @@ -22,7 +22,7 @@ ms.date: 07/30/2018

      - DeviceGuard/EnableSystemGuard + DeviceGuard/ConfigureSystemGuardLaunch
      DeviceGuard/EnableVirtualizationBasedSecurity @@ -39,7 +39,7 @@ ms.date: 07/30/2018
      -**DeviceGuard/EnableSystemGuard** +**DeviceGuard/ConfigureSystemGuardLaunch** @@ -82,7 +82,7 @@ Secure Launch configuration: - 1 - Enables Secure Launch if supported by hardware - 2 - Disables Secure Launch. -For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/en-us/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). +For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://cloudblogs.microsoft.com/microsoftsecure/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [How hardware-based containers help protect Windows 10](https://docs.microsoft.com/windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows). @@ -289,7 +289,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 5dabbc96ab..c59542326a 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -6,14 +6,11 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 07/23/2018 +ms.date: 01/08/2019 --- # Policy CSP - DeviceInstallation -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
      @@ -80,19 +77,26 @@ ms.date: 07/23/2018 -This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. + +> [!TIP] +> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -113,6 +117,37 @@ ADMX Info: +To enable this policy, use the following SyncML. This example allows Windows to install compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
      @@ -151,19 +186,28 @@ ADMX Info: -This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. + +> [!TIP] +> Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one. If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. +This setting allows device installation based on the serial number of a removable device if that number is in the hardware ID. + If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + + > [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). > You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -184,6 +228,44 @@ ADMX Info: +To enable this policy, use the following SyncML. This example allows Windows to install: + +- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} +- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318} +- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318} + +Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
      @@ -228,6 +310,8 @@ If you enable this policy setting, Windows does not retrieve device metadata for If you disable or do not configure this policy setting, the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from the Internet. + + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -255,6 +339,37 @@ ADMX Info: +To enable this policy, use the following SyncML. This example prevents Windows from retrieving device metadata. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + + + integer + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` +
      @@ -299,6 +414,7 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy setting. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -370,6 +486,8 @@ If you enable this policy setting, Windows is prevented from installing a device If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -388,7 +506,38 @@ ADMX Info: +
      +To enable this policy, use the following SyncML. This example prevents Windows from installing compatible devices with a device ID of USB\Composite or USB\Class_FF. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_IDs_Deny_Retroactive to true. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` **DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** @@ -432,6 +581,8 @@ If you enable this policy setting, Windows is prevented from installing or updat If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. +Peripherals can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). @@ -451,13 +602,51 @@ ADMX Info:
      +To enable this policy, use the following SyncML. This example prevents Windows from installing: + +- Floppy Disks, ClassGUID = {4d36e980-e325-11ce-bfc1-08002be10318} +- CD ROMs, ClassGUID = {4d36e965-e325-11ce-bfc1-08002be10318} +- Modems, ClassGUID = {4d36e96d-e325-11ce-bfc1-08002be10318} + +Enclose the class GUID within curly brackets {}. To configure multiple classes, use `` as a delimiter. To apply the policy to matching device classes that are already installed, set DeviceInstall_Classes_Deny_Retroactive to true. + + +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + + + string + + + + + + +``` + +To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see if the following is listed near the end of the log: + +```txt +>>> [Device Installation Restrictions Policy Check] +>>> Section start 2018/11/15 12:26:41.659 +<<< Section end 2018/11/15 12:26:41.751 +<<< [Exit status: SUCCESS] +``` + Footnote: - 1 - Added in Windows 10, version 1607. - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md index 2960d7874f..9c1747dae9 100644 --- a/windows/client-management/mdm/policy-csp-dmaguard.md +++ b/windows/client-management/mdm/policy-csp-dmaguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/29/2018 +ms.date: 12/17/2018 --- # Policy CSP - DmaGuard @@ -65,7 +65,11 @@ ms.date: 06/29/2018 -This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. +This policy is intended to provide additional security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices incompatible with DMA Remapping/device memory isolation and sandboxing. + +Device memory sandboxing allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + +This policy only takes effect when Kernel DMA Protection is supported and enabled by the system firmware. Kernel DMA Protection is a platform feature that cannot be controlled via policy or by end user. It has to be supported by the system at the time of manufacturing. To check if the system supports Kernel DMA Protection, please check the Kernel DMA Protection field in the Summary page of MSINFO32.exe. > [!Note] > This policy does not apply to 1394/Firewire, PCMCIA, CardBus, or ExpressCard devices. @@ -105,7 +109,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index ab5ac2d009..c267e4587c 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -1437,7 +1437,7 @@ The following list shows the supported values: [!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)] Related policy: - [PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) + [PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) @@ -1523,7 +1523,7 @@ _**Turn syncing off by default but don’t disable**_ [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] Related policy: - [DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) + [DoNotSyncBrowserSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) @@ -1577,7 +1577,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md index 1d88286ceb..5dda241c5f 100644 --- a/windows/client-management/mdm/policy-csp-exploitguard.md +++ b/windows/client-management/mdm/policy-csp-exploitguard.md @@ -63,7 +63,7 @@ ms.date: 03/12/2018 -Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). +Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml). The system settings require a reboot; the application settings do not require a reboot. diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 846fbce380..276d6b2c9e 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -1,426 +1,427 @@ ---- -title: Policy CSP - Kerberos -description: Policy CSP - Kerberos -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/08/2018 ---- - -# Policy CSP - Kerberos - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
      - - -## Kerberos policies - -
      -
      - Kerberos/AllowForestSearchOrder -
      -
      - Kerberos/KerberosClientSupportsClaimsCompoundArmor -
      -
      - Kerberos/RequireKerberosArmoring -
      -
      - Kerberos/RequireStrictKDCValidation -
      -
      - Kerberos/SetMaximumContextTokenSize -
      -
      - Kerberos/UPNNameHints -
      -
      - - -
      - - -**Kerberos/AllowForestSearchOrder** - - -
      - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). - -If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. - -If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Use forest search order* -- GP name: *ForestSearch* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
      - - -**Kerberos/KerberosClientSupportsClaimsCompoundArmor** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. -If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. - -If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* -- GP name: *EnableCbacAndArmor* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
      - - -**Kerberos/RequireKerberosArmoring** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. - -Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. - -If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. - -Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. - -If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Fail authentication requests when Kerberos armoring is not available* -- GP name: *ClientRequireFast* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
      - - -**Kerberos/RequireStrictKDCValidation** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. - -If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. - -If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Require strict KDC validation* -- GP name: *ValidateKDC* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
      - - -**Kerberos/SetMaximumContextTokenSize** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. - -The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. - -If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. - -If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. - -Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Set maximum Kerberos SSPI context token buffer size* -- GP name: *MaxTokenSize* -- GP path: *System/Kerberos* -- GP ADMX file name: *Kerberos.admx* - - - - -
      - - -**Kerberos/UPNNameHints** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. - -Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. - - - - - - - - - - - - -
      - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - Kerberos +description: Policy CSP - Kerberos +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/08/2018 +--- + +# Policy CSP - Kerberos + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
      + + +## Kerberos policies + +
      +
      + Kerberos/AllowForestSearchOrder +
      +
      + Kerberos/KerberosClientSupportsClaimsCompoundArmor +
      +
      + Kerberos/RequireKerberosArmoring +
      +
      + Kerberos/RequireStrictKDCValidation +
      +
      + Kerberos/SetMaximumContextTokenSize +
      +
      + Kerberos/UPNNameHints +
      +
      + + +
      + + +**Kerberos/AllowForestSearchOrder** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). + +If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. + +If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Use forest search order* +- GP name: *ForestSearch* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
      + + +**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + +If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Kerberos client support for claims, compound authentication and Kerberos armoring* +- GP name: *EnableCbacAndArmor* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
      + + +**Kerberos/RequireKerberosArmoring** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. + +Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. + +If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. + +Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. + +If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Fail authentication requests when Kerberos armoring is not available* +- GP name: *ClientRequireFast* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
      + + +**Kerberos/RequireStrictKDCValidation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. + +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. + +If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Require strict KDC validation* +- GP name: *ValidateKDC* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
      + + +**Kerberos/SetMaximumContextTokenSize** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. + +The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. + +If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. + +If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. + +Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Set maximum Kerberos SSPI context token buffer size* +- GP name: *MaxTokenSize* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
      + + +**Kerberos/UPNNameHints** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Adds a list of domains that an Azure Active Directory joined device can attempt to contact when it cannot resolve a UPN to a principal. + +Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an Azure Active Directory UPN into an Active Directory Principal. You can use this policy to avoid those failures. + + + + + + + + + + + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md index fb8a4b73e9..57cbcfb347 100644 --- a/windows/client-management/mdm/policy-csp-kioskbrowser.md +++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md @@ -13,7 +13,7 @@ ms.date: 05/14/2018 -These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/en-us/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_). +These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user’s browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](https://docs.microsoft.com/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
      diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index c536cc66a5..b1594d5d38 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -3588,7 +3588,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-location.md b/windows/client-management/mdm/policy-csp-location.md deleted file mode 100644 index 8745836c59..0000000000 --- a/windows/client-management/mdm/policy-csp-location.md +++ /dev/null @@ -1,105 +0,0 @@ ---- -title: Policy CSP - Location -description: Policy CSP - Location -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/09/2018 ---- - -# Policy CSP - Location - - - -
      - - -## Location policies - -
      -
      - Location/EnableLocation -
      -
      - - -
      - - -**Location/EnableLocation** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. - -> [!IMPORTANT] -> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. - - - -ADMX Info: -- GP English name: *Turn off Windows Location Provider* -- GP name: *DisableWindowsLocationProvider_1* -- GP path: *Windows Components/Location and Sensors/Windows Location Provider* -- GP ADMX file name: *LocationProviderAdm.admx* - - - -The following list shows the supported values: - -- 0 (default) – Disabled. -- 1 – Enabled. - - - -To validate on Desktop, do the following: - -1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. -2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. - - - -
      - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. - - - diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index 6a7dbb8a95..51f9efc4a5 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -348,7 +348,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] @@ -412,7 +412,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] @@ -600,7 +600,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] @@ -664,7 +664,7 @@ If you enable this policy setting, you must provide a value, in seconds, indicat If you disable or do not configure this policy setting, users control this setting. -If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. +If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature. > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index d9da419854..bccb2e581b 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -1,4865 +1,4866 @@ ---- -title: Policy CSP - Privacy -description: Policy CSP - Privacy -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/14/2018 ---- - -# Policy CSP - Privacy - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
      - - -## Privacy policies - -
      -
      - Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts -
      -
      - Privacy/AllowCrossDeviceClipboard -
      -
      - Privacy/AllowInputPersonalization -
      -
      - Privacy/DisableAdvertisingId -
      -
      - Privacy/DisablePrivacyExperience -
      -
      - Privacy/EnableActivityFeed -
      -
      - Privacy/LetAppsAccessAccountInfo -
      -
      - Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessCalendar -
      -
      - Privacy/LetAppsAccessCalendar_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessCalendar_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessCallHistory -
      -
      - Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessCamera -
      -
      - Privacy/LetAppsAccessCamera_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessCamera_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessCamera_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessContacts -
      -
      - Privacy/LetAppsAccessContacts_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessContacts_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessContacts_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessEmail -
      -
      - Privacy/LetAppsAccessEmail_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessEmail_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessEmail_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessGazeInput -
      -
      - Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessLocation -
      -
      - Privacy/LetAppsAccessLocation_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessLocation_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessLocation_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessMessaging -
      -
      - Privacy/LetAppsAccessMessaging_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessMessaging_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessMicrophone -
      -
      - Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessMotion -
      -
      - Privacy/LetAppsAccessMotion_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessMotion_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessMotion_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessNotifications -
      -
      - Privacy/LetAppsAccessNotifications_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessNotifications_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessPhone -
      -
      - Privacy/LetAppsAccessPhone_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessPhone_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessPhone_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessRadios -
      -
      - Privacy/LetAppsAccessRadios_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessRadios_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessRadios_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessTasks -
      -
      - Privacy/LetAppsAccessTasks_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessTasks_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessTasks_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsAccessTrustedDevices -
      -
      - Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps -
      -
      - Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps -
      -
      - Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsGetDiagnosticInfo -
      -
      - Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps -
      -
      - Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps -
      -
      - Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsRunInBackground -
      -
      - Privacy/LetAppsRunInBackground_ForceAllowTheseApps -
      -
      - Privacy/LetAppsRunInBackground_ForceDenyTheseApps -
      -
      - Privacy/LetAppsRunInBackground_UserInControlOfTheseApps -
      -
      - Privacy/LetAppsSyncWithDevices -
      -
      - Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps -
      -
      - Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps -
      -
      - Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps -
      -
      - Privacy/PublishUserActivities -
      -
      - Privacy/UploadUserActivities -
      -
      - - -
      - - -**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3check mark3check mark3
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. - -> [!Note] -> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default)– Not allowed. -- 1 – Allowed. - - - - -
      - - -**Privacy/AllowCrossDeviceClipboard** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Clipboard synchronization across devices* -- GP name: *AllowCrossDeviceClipboard* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -0 – Not allowed. -1 (default) – Allowed. - - - - -
      - - -**Privacy/AllowInputPersonalization** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow input personalization* -- GP name: *AllowInputPersonalization* -- GP path: *Control Panel/Regional and Language Options* -- GP ADMX file name: *Globalization.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. -- 1 (default) – Choice deferred to user's preference. - - - - -
      - - -**Privacy/DisableAdvertisingId** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Enables or disables the Advertising ID. - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Turn off the advertising ID* -- GP name: *DisableAdvertisingId* -- GP path: *System/User Profiles* -- GP ADMX file name: *UserProfiles.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 – Enabled. -- 65535 (default)- Not configured. - - - - -
      - - -**Privacy/DisablePrivacyExperience** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
      - - - -Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. - -Value type is integer. -- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. -- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. - -In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. - - - -ADMX Info: -- GP English name: *Don't launch privacy settings experience on user logon* -- GP name: *DisablePrivacyExperience* -- GP path: *Windows Components/OOBE* -- GP ADMX file name: *OOBE.admx* - - - - - - - - - - - - - -
      - - -**Privacy/EnableActivityFeed** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3check mark3check mark3
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. - - - -ADMX Info: -- GP English name: *Enables Activity Feed* -- GP name: *EnableActivityFeed* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). -- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. - - - - -
      - - -**Privacy/LetAppsAccessAccountInfo** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access account information* -- GP name: *LetAppsAccessAccountInfo* -- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCalendar** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the calendar* -- GP name: *LetAppsAccessCalendar* -- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCallHistory** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access call history* -- GP name: *LetAppsAccessCallHistory* -- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCamera** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the camera* -- GP name: *LetAppsAccessCamera* -- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessContacts** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access contacts* -- GP name: *LetAppsAccessContacts* -- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessEmail** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access email. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access email* -- GP name: *LetAppsAccessEmail* -- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessGazeInput** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting specifies whether Windows apps can access the eye tracker. - - - - -
      - - -**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - -
      - - -**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - -
      - - -**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. - - - - -
      - - -**Privacy/LetAppsAccessLocation** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access location. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access location* -- GP name: *LetAppsAccessLocation* -- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMessaging** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access messaging* -- GP name: *LetAppsAccessMessaging* -- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMicrophone** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access the microphone* -- GP name: *LetAppsAccessMicrophone* -- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMotion** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access motion* -- GP name: *LetAppsAccessMotion* -- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessNotifications** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access notifications* -- GP name: *LetAppsAccessNotifications* -- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessPhone** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps make phone calls* -- GP name: *LetAppsAccessPhone* -- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessRadios** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps control radios* -- GP name: *LetAppsAccessRadios* -- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTasks** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access Tasks* -- GP name: *LetAppsAccessTasks* -- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTrustedDevices** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access trusted devices* -- GP name: *LetAppsAccessTrustedDevices* -- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsGetDiagnosticInfo** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps access diagnostic information about other apps* -- GP name: *LetAppsGetDiagnosticInfo* -- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsRunInBackground** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. - - -Most restricted value is 2. -> [!WARNING] -> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control (default). -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps run in the background* -- GP name: *LetAppsRunInBackground* -- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsSyncWithDevices** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. - - -Most restricted value is 2. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_Enum* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - -The following list shows the supported values: - -- 0 – User in control. -- 1 – Force allow. -- 2 - Force deny. - - - - -
      - - -**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. - - - -ADMX Info: -- GP English name: *Let Windows apps communicate with unpaired devices* -- GP name: *LetAppsSyncWithDevices* -- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* -- GP path: *Windows Components/App Privacy* -- GP ADMX file name: *AppPrivacy.admx* - - - - -
      - - -**Privacy/PublishUserActivities** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3check mark3check mark3
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. - - - -ADMX Info: -- GP English name: *Allow publishing of User Activities* -- GP name: *PublishUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -The following list shows the supported values: - -- 0 – Disabled. Apps/OS can't publish the *user activities*. -- 1 – (default) Enabled. Apps/OS can publish the *user activities*. - - - - -
      - - -**Privacy/UploadUserActivities** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Allows ActivityFeed to upload published 'User Activities'. - - - -ADMX Info: -- GP English name: *Allow upload of User Activities* -- GP name: *UploadUserActivities* -- GP path: *System/OS Policies* -- GP ADMX file name: *OSPolicy.admx* - - - -
      - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - Privacy +description: Policy CSP - Privacy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/14/2018 +--- + +# Policy CSP - Privacy + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
      + + +## Privacy policies + +
      +
      + Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts +
      +
      + Privacy/AllowCrossDeviceClipboard +
      +
      + Privacy/AllowInputPersonalization +
      +
      + Privacy/DisableAdvertisingId +
      +
      + Privacy/DisablePrivacyExperience +
      +
      + Privacy/EnableActivityFeed +
      +
      + Privacy/LetAppsAccessAccountInfo +
      +
      + Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessCalendar +
      +
      + Privacy/LetAppsAccessCalendar_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessCalendar_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessCallHistory +
      +
      + Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessCamera +
      +
      + Privacy/LetAppsAccessCamera_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessCamera_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessCamera_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessContacts +
      +
      + Privacy/LetAppsAccessContacts_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessContacts_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessContacts_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessEmail +
      +
      + Privacy/LetAppsAccessEmail_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessEmail_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessEmail_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessGazeInput +
      +
      + Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessLocation +
      +
      + Privacy/LetAppsAccessLocation_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessLocation_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessLocation_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessMessaging +
      +
      + Privacy/LetAppsAccessMessaging_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessMessaging_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessMicrophone +
      +
      + Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessMotion +
      +
      + Privacy/LetAppsAccessMotion_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessMotion_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessMotion_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessNotifications +
      +
      + Privacy/LetAppsAccessNotifications_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessNotifications_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessPhone +
      +
      + Privacy/LetAppsAccessPhone_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessPhone_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessPhone_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessRadios +
      +
      + Privacy/LetAppsAccessRadios_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessRadios_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessRadios_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessTasks +
      +
      + Privacy/LetAppsAccessTasks_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessTasks_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessTasks_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsAccessTrustedDevices +
      +
      + Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps +
      +
      + Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps +
      +
      + Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsGetDiagnosticInfo +
      +
      + Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps +
      +
      + Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps +
      +
      + Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsRunInBackground +
      +
      + Privacy/LetAppsRunInBackground_ForceAllowTheseApps +
      +
      + Privacy/LetAppsRunInBackground_ForceDenyTheseApps +
      +
      + Privacy/LetAppsRunInBackground_UserInControlOfTheseApps +
      +
      + Privacy/LetAppsSyncWithDevices +
      +
      + Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps +
      +
      + Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps +
      +
      + Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps +
      +
      + Privacy/PublishUserActivities +
      +
      + Privacy/UploadUserActivities +
      +
      + + +
      + + +**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3check mark3check mark3
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + +> [!Note] +> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default)– Not allowed. +- 1 – Allowed. + + + + +
      + + +**Privacy/AllowCrossDeviceClipboard** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Clipboard synchronization across devices* +- GP name: *AllowCrossDeviceClipboard* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +0 – Not allowed. +1 (default) – Allowed. + + + + +
      + + +**Privacy/AllowInputPersonalization** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow input personalization* +- GP name: *AllowInputPersonalization* +- GP path: *Control Panel/Regional and Language Options* +- GP ADMX file name: *Globalization.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Choice deferred to user's preference. + + + + +
      + + +**Privacy/DisableAdvertisingId** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Enables or disables the Advertising ID. + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Turn off the advertising ID* +- GP name: *DisableAdvertisingId* +- GP path: *System/User Profiles* +- GP ADMX file name: *UserProfiles.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 – Enabled. +- 65535 (default)- Not configured. + + + + +
      + + +**Privacy/DisablePrivacyExperience** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
      + + + +Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users. + +Value type is integer. +- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade. +- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade. + +In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings. + + + +ADMX Info: +- GP English name: *Don't launch privacy settings experience on user logon* +- GP name: *DisablePrivacyExperience* +- GP path: *Windows Components/OOBE* +- GP ADMX file name: *OOBE.admx* + + + + + + + + + + + + + +
      + + +**Privacy/EnableActivityFeed** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3check mark3check mark3
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1709. Allows IT Admins to allow Apps/OS to publish to the activity feed. + + + +ADMX Info: +- GP English name: *Enables Activity Feed* +- GP name: *EnableActivityFeed* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the activities and roaming is disabled. (not published to the cloud). +- 1 – (default) Enabled. Apps/OS can publish the activities and will be roamed across device graph. + + + + +
      + + +**Privacy/LetAppsAccessAccountInfo** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access account information* +- GP name: *LetAppsAccessAccountInfo* +- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCalendar** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the calendar* +- GP name: *LetAppsAccessCalendar* +- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCallHistory** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access call history* +- GP name: *LetAppsAccessCallHistory* +- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCamera** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the camera* +- GP name: *LetAppsAccessCamera* +- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessContacts** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access contacts* +- GP name: *LetAppsAccessContacts* +- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessEmail** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access email* +- GP name: *LetAppsAccessEmail* +- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessGazeInput** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting specifies whether Windows apps can access the eye tracker. + + + + +
      + + +**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
      + + +**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the eye tracker. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
      + + +**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the eye tracker privacy setting for the listed apps. This setting overrides the default LetAppsAccessGazeInput policy setting for the specified apps. + + + + +
      + + +**Privacy/LetAppsAccessLocation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access location* +- GP name: *LetAppsAccessLocation* +- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMessaging** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access messaging* +- GP name: *LetAppsAccessMessaging* +- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMicrophone** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access the microphone* +- GP name: *LetAppsAccessMicrophone* +- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMotion** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access motion* +- GP name: *LetAppsAccessMotion* +- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessNotifications** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access notifications* +- GP name: *LetAppsAccessNotifications* +- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessPhone** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps make phone calls* +- GP name: *LetAppsAccessPhone* +- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessRadios** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps control radios* +- GP name: *LetAppsAccessRadios* +- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTasks** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access Tasks* +- GP name: *LetAppsAccessTasks* +- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTrustedDevices** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access trusted devices* +- GP name: *LetAppsAccessTrustedDevices* +- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsGetDiagnosticInfo** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps access diagnostic information about other apps* +- GP name: *LetAppsGetDiagnosticInfo* +- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsRunInBackground** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. + + +Most restricted value is 2. +> [!WARNING] +> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark2check mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps run in the background* +- GP name: *LetAppsRunInBackground* +- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsSyncWithDevices** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + + +Most restricted value is 2. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_Enum* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + +The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + + + + +
      + + +**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark1check mark1check mark1check mark1check mark1check mark1check mark1
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Microsoft Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + +ADMX Info: +- GP English name: *Let Windows apps communicate with unpaired devices* +- GP name: *LetAppsSyncWithDevices* +- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List* +- GP path: *Windows Components/App Privacy* +- GP ADMX file name: *AppPrivacy.admx* + + + + +
      + + +**Privacy/PublishUserActivities** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark3check mark3check mark3check mark3check mark3check mark3check mark3
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1709. Allows It Admins to enable publishing of user activities to the activity feed. + + + +ADMX Info: +- GP English name: *Allow publishing of User Activities* +- GP name: *PublishUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +The following list shows the supported values: + +- 0 – Disabled. Apps/OS can't publish the *user activities*. +- 1 – (default) Enabled. Apps/OS can publish the *user activities*. + + + + +
      + + +**Privacy/UploadUserActivities** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark5check mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Allows ActivityFeed to upload published 'User Activities'. + + + +ADMX Info: +- GP English name: *Allow upload of User Activities* +- GP name: *UploadUserActivities* +- GP path: *System/OS Policies* +- GP ADMX file name: *OSPolicy.admx* + + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md index fb505e937f..15119bff73 100644 --- a/windows/client-management/mdm/policy-csp-security.md +++ b/windows/client-management/mdm/policy-csp-security.md @@ -747,7 +747,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 5886443c5d..ffb4629d06 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -788,6 +788,7 @@ The following list shows the supported values: > [!div class = "checklist"] > * Device +> * User
      diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 5c8db780af..bbbecfc8b2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -1700,7 +1700,7 @@ Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/. > [!IMPORTANT] > Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. -The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/en-us/windows/configuration/start-secondary-tiles). +The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). @@ -1826,7 +1826,7 @@ Here is additional SKU support information: Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy -For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/en-us/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-10-taskbar). +For further details on how to customize the Start layout, please see [Customize and export Start layout](https://docs.microsoft.com/windows/configuration/customize-and-export-start-layout) and [Configure Windows 10 taskbar](https://docs.microsoft.com/windows/configuration/configure-windows-10-taskbar). @@ -1846,7 +1846,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-storage.md b/windows/client-management/mdm/policy-csp-storage.md index 9284052651..1701229b65 100644 --- a/windows/client-management/mdm/policy-csp-storage.md +++ b/windows/client-management/mdm/policy-csp-storage.md @@ -1,235 +1,236 @@ ---- -title: Policy CSP - Storage -description: Policy CSP - Storage -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/27/2018 ---- - -# Policy CSP - Storage - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
      - - -## Storage policies - -
      -
      - Storage/AllowDiskHealthModelUpdates -
      -
      - Storage/EnhancedStorageDevices -
      -
      - Storage/RemovableDiskDenyWriteAccess -
      -
      - - -
      - - -**Storage/AllowDiskHealthModelUpdates** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1709. Allows disk health model updates. - - - -Value type is integer. - - - -ADMX Info: -- GP English name: *Allow downloading updates to the Disk Failure Prediction Model* -- GP name: *SH_AllowDiskHealthModelUpdates* -- GP path: *System/Storage Health* -- GP ADMX file name: *StorageHealth.admx* - - - -The following list shows the supported values: - -- 0 - Do not allow -- 1 (default) - Allow - - - - -
      - - -**Storage/EnhancedStorageDevices** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting configures whether or not Windows will activate an Enhanced Storage device. - -If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. - -If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Do not allow Windows to activate Enhanced Storage devices* -- GP name: *TCGSecurityActivationDisabled* -- GP path: *System/Enhanced Storage Access* -- GP ADMX file name: *enhancedstorage.admx* - - - - -
      - - -**Storage/RemovableDiskDenyWriteAccess** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." - -Supported values: -- 0 - Disable -- 1 - Enable - - - -ADMX Info: -- GP English name: *Removable Disks: Deny write access* -- GP name: *RemovableDisks_DenyWrite_Access_2* -- GP element: *RemovableDisks_DenyWrite_Access_2* -- GP path: *System/Removable Storage Access* -- GP ADMX file name: *RemovableStorage.admx* - - - - - - - - - - - - -
      - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - Storage +description: Policy CSP - Storage +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/27/2018 +--- + +# Policy CSP - Storage + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
      + + +## Storage policies + +
      +
      + Storage/AllowDiskHealthModelUpdates +
      +
      + Storage/EnhancedStorageDevices +
      +
      + Storage/RemovableDiskDenyWriteAccess +
      +
      + + +
      + + +**Storage/AllowDiskHealthModelUpdates** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1709. Allows disk health model updates. + + + +Value type is integer. + + + +ADMX Info: +- GP English name: *Allow downloading updates to the Disk Failure Prediction Model* +- GP name: *SH_AllowDiskHealthModelUpdates* +- GP path: *System/Storage Health* +- GP ADMX file name: *StorageHealth.admx* + + + +The following list shows the supported values: + +- 0 - Do not allow +- 1 (default) - Allow + + + + +
      + + +**Storage/EnhancedStorageDevices** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting configures whether or not Windows will activate an Enhanced Storage device. + +If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. + +If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Do not allow Windows to activate Enhanced Storage devices* +- GP name: *TCGSecurityActivationDisabled* +- GP path: *System/Enhanced Storage Access* +- GP ADMX file name: *enhancedstorage.admx* + + + + +
      + + +**Storage/RemovableDiskDenyWriteAccess** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage class. Note: To require that users write data to BitLocker-protected storage, enable the policy setting "Deny write access to drives not protected by BitLocker," which is located in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives." + +Supported values: +- 0 - Disable +- 1 - Enable + + + +ADMX Info: +- GP English name: *Removable Disks: Deny write access* +- GP name: *RemovableDisks_DenyWrite_Access_2* +- GP element: *RemovableDisks_DenyWrite_Access_2* +- GP path: *System/Removable Storage Access* +- GP ADMX file name: *RemovableStorage.admx* + + + + + + + + + + + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 77421bcad4..25a2c66a62 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,1443 +1,1444 @@ ---- -title: Policy CSP - System -description: Policy CSP - System -ms.author: maricia -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: MariciaAlforque -ms.date: 08/24/2018 ---- - -# Policy CSP - System - -> [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - - -
      - - -## System policies - -
      -
      - System/AllowBuildPreview -
      -
      - System/AllowDeviceNameInDiagnosticData -
      -
      - System/AllowEmbeddedMode -
      -
      - System/AllowExperimentation -
      -
      - System/AllowFontProviders -
      -
      - System/AllowLocation -
      -
      - System/AllowStorageCard -
      -
      - System/AllowTelemetry -
      -
      - System/AllowUserToResetPhone -
      -
      - System/BootStartDriverInitialization -
      -
      - System/ConfigureMicrosoft365UploadEndpoint -
      -
      - System/ConfigureTelemetryOptInChangeNotification -
      -
      - System/ConfigureTelemetryOptInSettingsUx -
      -
      - System/DisableDeviceDelete -
      -
      - System/DisableDiagnosticDataViewer -
      -
      - System/DisableEnterpriseAuthProxy -
      -
      - System/DisableOneDriveFileSync -
      -
      - System/DisableSystemRestore -
      -
      - System/FeedbackHubAlwaysSaveDiagnosticsLocally -
      -
      - System/LimitEnhancedDiagnosticDataWindowsAnalytics -
      -
      - System/TelemetryProxy -
      -
      - - -
      - - -**System/AllowBuildPreview** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -> [!NOTE] -> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. - - -This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. - -If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. - - - -ADMX Info: -- GP English name: *Toggle user control over Insider builds* -- GP name: *AllowBuildPreview* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *AllowBuildPreview.admx* - - - -The following list shows the supported values: - -- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. -- 1 – Allowed. Users can make their devices available for downloading and installing preview software. -- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. - - - - -
      - - -**System/AllowDeviceNameInDiagnosticData** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. - - - -ADMX Info: -- GP English name: *Allow device name to be sent in Windows diagnostic data* -- GP name: *AllowDeviceNameInDiagnosticData* -- GP element: *AllowDeviceNameInDiagnosticData* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
      - - -**System/AllowEmbeddedMode** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Specifies whether set general purpose device to be in embedded mode. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 (default) – Not allowed. -- 1 – Allowed. - - - - -
      - - -**System/AllowExperimentation** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -> [!NOTE] -> This policy is not supported in Windows 10, version 1607. - -This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. - - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – Disabled. -- 1 (default) – Permits Microsoft to configure device settings only. -- 2 – Allows Microsoft to conduct full experimentations. - - - - -
      - - -**System/AllowFontProviders** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. - -This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). - -This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. - -> [!Note] -> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. - - - -ADMX Info: -- GP English name: *Enable Font Providers* -- GP name: *EnableFontProviders* -- GP path: *Network/Fonts* -- GP ADMX file name: *GroupPolicy.admx* - - - -The following list shows the supported values: - -- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. -- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. - - - -To verify if System/AllowFontProviders is set to true: - -- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. - - - - -
      - - -**System/AllowLocation** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Specifies whether to allow app access to the Location service. - - -Most restricted value is 0. - -While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. - -When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. - -For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. - - - -ADMX Info: -- GP English name: *Turn off location* -- GP name: *DisableLocation_2* -- GP path: *Windows Components/Location and Sensors* -- GP ADMX file name: *Sensors.admx* - - - -The following list shows the supported values: - -- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. -- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. -- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. - - - - -
      - - -**System/AllowStorageCard** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. - -Most restricted value is 0. - - - -The following list shows the supported values: - -- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. -- 1 (default) – Allow a storage card. - - - - -
      - - -**System/AllowTelemetry** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * User -> * Device - -
      - - - -Allow the device to send diagnostic and usage telemetry data, such as Watson. - -The following tables describe the supported values: - -Windows 8.1 Values: - -- 0 - Not allowed. -- 1 – Allowed, except for Secondary Data Requests. -- 2 (default) – Allowed. - - - -Windows 10 Values: - -- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. - Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. -- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. -- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. -- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. - - - - -> [!IMPORTANT] -> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. - - -Most restricted value is 0. - - - -ADMX Info: -- GP English name: *Allow Telemetry* -- GP name: *AllowTelemetry* -- GP element: *AllowTelemetry* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
      - - -**System/AllowUserToResetPhone** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. - -Most restricted value is 0. - - - -The following list shows the supported values: -orted values: - -- 0 – Not allowed. -- 1 (default) – Allowed to reset to factory default settings. - - - - -
      - - -**System/BootStartDriverInitialization** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: -- Good: The driver has been signed and has not been tampered with. -- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. -- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. -- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. - -If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. - -If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. - -If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Boot-Start Driver Initialization Policy* -- GP name: *POL_DriverLoadPolicy_Name* -- GP path: *System/Early Launch Antimalware* -- GP ADMX file name: *earlylauncham.admx* - - - - -
      - - -**System/ConfigureMicrosoft365UploadEndpoint** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. - -If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. - -The value for this setting will be provided by Microsoft as part of the onboarding process for the program. - -Value type is string. - - -ADMX Info: -- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* -- GP name: *ConfigureMicrosoft365UploadEndpoint* -- GP element: *ConfigureMicrosoft365UploadEndpoint* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
      - - -**System/ConfigureTelemetryOptInChangeNotification** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  -If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. -If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in change notifications.* -- GP name: *ConfigureTelemetryOptInChangeNotification* -- GP element: *ConfigureTelemetryOptInChangeNotification* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
      - - -**System/ConfigureTelemetryOptInSettingsUx** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. - -If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. - -If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. - -Note: -Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. - - - -ADMX Info: -- GP English name: *Configure telemetry opt-in setting user interface.* -- GP name: *ConfigureTelemetryOptInSettingsUx* -- GP element: *ConfigureTelemetryOptInSettingsUx* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
      - - -**System/DisableDeviceDelete** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. -If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. - - - -ADMX Info: -- GP English name: *Disable deleting diagnostic data * -- GP name: *DisableDeviceDelete* -- GP element: *DisableDeviceDelete* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
      - - -**System/DisableDiagnosticDataViewer** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. -If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. -If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. - - - -ADMX Info: -- GP English name: *Disable diagnostic data viewer. * -- GP name: *DisableDiagnosticDataViewer* -- GP element: *DisableDiagnosticDataViewer* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - - - - - - - - - - -
      - - -**System/DisableEnterpriseAuthProxy** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. - - - -ADMX Info: -- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* -- GP name: *DisableEnterpriseAuthProxy* -- GP element: *DisableEnterpriseAuthProxy* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
      - - -**System/DisableOneDriveFileSync** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark2check mark2check mark2check mark2cross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: - -* Users cannot access OneDrive from the OneDrive app or file picker. -* Microsoft Store apps cannot access OneDrive using the WinRT API. -* OneDrive does not appear in the navigation pane in File Explorer. -* OneDrive files are not kept in sync with the cloud. -* Users cannot automatically upload photos and videos from the camera roll folder. - -If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. - - - -ADMX Info: -- GP English name: *Prevent the usage of OneDrive for file storage* -- GP name: *PreventOnedriveFileSync* -- GP path: *Windows Components/OneDrive* -- GP ADMX file name: *SkyDrive.admx* - - - -The following list shows the supported values: - -- 0 (default) – False (sync enabled). -- 1 – True (sync disabled). - - - -To validate on Desktop, do the following: - -1. Enable policy. -2. Restart machine. -3. Verify that OneDrive.exe is not running in Task Manager. - - - - -
      - - -**System/DisableSystemRestore** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Allows you to disable System Restore. - -This policy setting allows you to turn off System Restore. - -System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. - -If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. - -If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. - -Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. - - -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). - -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). - -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). - - -ADMX Info: -- GP English name: *Turn off System Restore* -- GP name: *SR_DisableSR* -- GP path: *System/System Restore* -- GP ADMX file name: *systemrestore.admx* - - - - -
      - - -**System/FeedbackHubAlwaysSaveDiagnosticsLocally** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark4check mark4check mark4check mark4check mark4
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. - - - -The following list shows the supported values: - -- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. -- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. - - - - -
      - - -**System/LimitEnhancedDiagnosticDataWindowsAnalytics** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -This policy setting, in combination with the System/AllowTelemetry - policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. - -To enable this behavior you must complete two steps: -
        -
      • Enable this policy setting
        • -
      • Set Allow Telemetry to level 2 (Enhanced)
        • -
      - -When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). - -Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. - -If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. - - - -ADMX Info: -- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* -- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - - -
      - - -**System/TelemetryProxy** - - - - - - - - - - - - - - - - - - - - - -
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      - - - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
      - - - -Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. - -If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. - - - -ADMX Info: -- GP English name: *Configure Connected User Experiences and Telemetry* -- GP name: *TelemetryProxy* -- GP element: *TelemetryProxyName* -- GP path: *Data Collection and Preview Builds* -- GP ADMX file name: *DataCollection.admx* - - - -
      - -Footnote: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. - - - +--- +title: Policy CSP - System +description: Policy CSP - System +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: MariciaAlforque +ms.date: 08/24/2018 +--- + +# Policy CSP - System + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +
      + + +## System policies + +
      +
      + System/AllowBuildPreview +
      +
      + System/AllowDeviceNameInDiagnosticData +
      +
      + System/AllowEmbeddedMode +
      +
      + System/AllowExperimentation +
      +
      + System/AllowFontProviders +
      +
      + System/AllowLocation +
      +
      + System/AllowStorageCard +
      +
      + System/AllowTelemetry +
      +
      + System/AllowUserToResetPhone +
      +
      + System/BootStartDriverInitialization +
      +
      + System/ConfigureMicrosoft365UploadEndpoint +
      +
      + System/ConfigureTelemetryOptInChangeNotification +
      +
      + System/ConfigureTelemetryOptInSettingsUx +
      +
      + System/DisableDeviceDelete +
      +
      + System/DisableDiagnosticDataViewer +
      +
      + System/DisableEnterpriseAuthProxy +
      +
      + System/DisableOneDriveFileSync +
      +
      + System/DisableSystemRestore +
      +
      + System/FeedbackHubAlwaysSaveDiagnosticsLocally +
      +
      + System/LimitEnhancedDiagnosticDataWindowsAnalytics +
      +
      + System/TelemetryProxy +
      +
      + + +
      + + +**System/AllowBuildPreview** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +> [!NOTE] +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. + + +This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + + + +ADMX Info: +- GP English name: *Toggle user control over Insider builds* +- GP name: *AllowBuildPreview* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *AllowBuildPreview.admx* + + + +The following list shows the supported values: + +- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. +- 1 – Allowed. Users can make their devices available for downloading and installing preview software. +- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + + + + +
      + + +**System/AllowDeviceNameInDiagnosticData** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data. If you disable or do not configure this policy setting, then device name will not be sent to Microsoft as part of Windows diagnostic data. + + + +ADMX Info: +- GP English name: *Allow device name to be sent in Windows diagnostic data* +- GP name: *AllowDeviceNameInDiagnosticData* +- GP element: *AllowDeviceNameInDiagnosticData* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
      + + +**System/AllowEmbeddedMode** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Specifies whether set general purpose device to be in embedded mode. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + +
      + + +**System/AllowExperimentation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. + +This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Permits Microsoft to configure device settings only. +- 2 – Allows Microsoft to conduct full experimentations. + + + + +
      + + +**System/AllowFontProviders** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. + +This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). + +This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. + +> [!Note] +> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + + + +ADMX Info: +- GP English name: *Enable Font Providers* +- GP name: *EnableFontProviders* +- GP path: *Network/Fonts* +- GP ADMX file name: *GroupPolicy.admx* + + + +The following list shows the supported values: + +- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. + + + +To verify if System/AllowFontProviders is set to true: + +- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. + + + + +
      + + +**System/AllowLocation** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Specifies whether to allow app access to the Location service. + + +Most restricted value is 0. + +While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. + +When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + + + +ADMX Info: +- GP English name: *Turn off location* +- GP name: *DisableLocation_2* +- GP path: *Windows Components/Location and Sensors* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + + + + +
      + + +**System/AllowStorageCard** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +Most restricted value is 0. + + + +The following list shows the supported values: + +- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 1 (default) – Allow a storage card. + + + + +
      + + +**System/AllowTelemetry** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
      + + + +Allow the device to send diagnostic and usage telemetry data, such as Watson. + +The following tables describe the supported values: + +Windows 8.1 Values: + +- 0 - Not allowed. +- 1 – Allowed, except for Secondary Data Requests. +- 2 (default) – Allowed. + + + +Windows 10 Values: + +- 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. + Note: This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +- 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level. +- 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels. +- 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels. + + + + +> [!IMPORTANT] +> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. + + +Most restricted value is 0. + + + +ADMX Info: +- GP English name: *Allow Telemetry* +- GP name: *AllowTelemetry* +- GP element: *AllowTelemetry* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
      + + +**System/AllowUserToResetPhone** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +Most restricted value is 0. + + + +The following list shows the supported values: +orted values: + +- 0 – Not allowed. +- 1 (default) – Allowed to reset to factory default settings. + + + + +
      + + +**System/BootStartDriverInitialization** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: +- Good: The driver has been signed and has not been tampered with. +- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. +- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. +- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. + +If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. + +If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. + +If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Boot-Start Driver Initialization Policy* +- GP name: *POL_DriverLoadPolicy_Name* +- GP path: *System/Early Launch Antimalware* +- GP ADMX file name: *earlylauncham.admx* + + + + +
      + + +**System/ConfigureMicrosoft365UploadEndpoint** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy sets the upload endpoint for this device’s diagnostic data as part of the Microsoft 365 Update Readiness program. + +If your organization is participating in the program and has been instructed to configure a custom upload endpoint, then use this setting to define that endpoint. + +The value for this setting will be provided by Microsoft as part of the onboarding process for the program. + +Value type is string. + + +ADMX Info: +- GP English name: *Configure Microsoft 365 Update Readiness upload endpoint* +- GP name: *ConfigureMicrosoft365UploadEndpoint* +- GP element: *ConfigureMicrosoft365UploadEndpoint* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
      + + +**System/ConfigureTelemetryOptInChangeNotification** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines whether a device shows notifications about telemetry levels to people on first logon or when changes occur in Settings.  +If you set this policy setting to "Disable telemetry change notifications", telemetry level notifications stop appearing. +If you set this policy setting to "Enable telemetry change notifications" or don't configure this policy setting, telemetry notifications appear at first logon and when changes occur in Settings. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in change notifications.* +- GP name: *ConfigureTelemetryOptInChangeNotification* +- GP element: *ConfigureTelemetryOptInChangeNotification* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
      + + +**System/ConfigureTelemetryOptInSettingsUx** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark4check mark4check mark4check mark4
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting determines whether people can change their own telemetry levels in Settings. This setting should be used in conjunction with the Allow Telemetry settings. + +If you set this policy setting to "Disable Telemetry opt-in Settings", telemetry levels are disabled in Settings, preventing people from changing them. + +If you set this policy setting to "Enable Telemetry opt-in Setings" or don't configure this policy setting, people can change their own telemetry levels in Settings. + +Note: +Set the Allow Telemetry policy setting to prevent people from sending diagnostic data to Microsoft beyond your organization's limit. + + + +ADMX Info: +- GP English name: *Configure telemetry opt-in setting user interface.* +- GP name: *ConfigureTelemetryOptInSettingsUx* +- GP element: *ConfigureTelemetryOptInSettingsUx* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
      + + +**System/DisableDeviceDelete** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & Feedback Settings page. +If you enable this policy setting, the Delete diagnostic data button will be disabled in Settings page, preventing the deletion of diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Delete diagnostic data button will be enabled in Settings page, which allows people to erase all diagnostic data collected by Microsoft from that device. + + + +ADMX Info: +- GP English name: *Disable deleting diagnostic data * +- GP name: *DisableDeviceDelete* +- GP element: *DisableDeviceDelete* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
      + + +**System/DisableDiagnosticDataViewer** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark5check mark5check mark5check mark5
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. +If you enable this policy setting, the Diagnostic Data Viewer will not be enabled in Settings page, and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device. +If you disable or don't configure this policy setting, the Diagnostic Data Viewer will be enabled in Settings page. + + + +ADMX Info: +- GP English name: *Disable diagnostic data viewer. * +- GP name: *DisableDiagnosticDataViewer* +- GP element: *DisableDiagnosticDataViewer* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + + + + + + + + + + +
      + + +**System/DisableEnterpriseAuthProxy** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3cross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting, the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automatically using an authenticated proxy. + + + +ADMX Info: +- GP English name: *Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service* +- GP name: *DisableEnterpriseAuthProxy* +- GP element: *DisableEnterpriseAuthProxy* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
      + + +**System/DisableOneDriveFileSync** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark2check mark2check mark2check mark2cross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: + +* Users cannot access OneDrive from the OneDrive app or file picker. +* Microsoft Store apps cannot access OneDrive using the WinRT API. +* OneDrive does not appear in the navigation pane in File Explorer. +* OneDrive files are not kept in sync with the cloud. +* Users cannot automatically upload photos and videos from the camera roll folder. + +If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + + + +ADMX Info: +- GP English name: *Prevent the usage of OneDrive for file storage* +- GP name: *PreventOnedriveFileSync* +- GP path: *Windows Components/OneDrive* +- GP ADMX file name: *SkyDrive.admx* + + + +The following list shows the supported values: + +- 0 (default) – False (sync enabled). +- 1 – True (sync disabled). + + + +To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + + + + +
      + + +**System/DisableSystemRestore** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcross markcross mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Allows you to disable System Restore. + +This policy setting allows you to turn off System Restore. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. + +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. + +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. + +Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). + +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). + +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off System Restore* +- GP name: *SR_DisableSR* +- GP path: *System/System Restore* +- GP ADMX file name: *systemrestore.admx* + + + + +
      + + +**System/FeedbackHubAlwaysSaveDiagnosticsLocally** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      check mark4check mark4check mark4check mark4check mark4
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Added in Windows 10, version 1803. When filing feedback in the Feedback Hub, diagnostic logs are collected for certain types of feedback. We now offer the option for users to save it locally, in addition to sending it to Microsoft. This policy will allow enterprises to mandate that all diagnostics are saved locally for use in internal investigations. + + + +The following list shows the supported values: + +- 0 (default) - False. The Feedback Hub will not always save a local copy of diagnostics that may be created when a feedback is submitted. The user will have the option to do so. +- 1 - True. The Feedback Hub should always save a local copy of diagnostics that may be created when a feedback is submitted. + + + + +
      + + +**System/LimitEnhancedDiagnosticDataWindowsAnalytics** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck mark3check mark3check mark3check mark3check mark3check mark3
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +This policy setting, in combination with the System/AllowTelemetry + policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. + +To enable this behavior you must complete two steps: +
        +
      • Enable this policy setting
        • +
      • Set Allow Telemetry to level 2 (Enhanced)
        • +
      + +When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented here: [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](https://go.microsoft.com/fwlink/?linkid=847594). + +Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level telemetry data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. + +If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. + + + +ADMX Info: +- GP English name: *Limit Enhanced diagnostic data to the minimum required by Windows Analytics* +- GP name: *LimitEnhancedDiagnosticDataWindowsAnalytics* +- GP element: *LimitEnhancedDiagnosticDataWindowsAnalytics* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + + +
      + + +**System/TelemetryProxy** + + + + + + + + + + + + + + + + + + + + + +
      HomeProBusinessEnterpriseEducationMobileMobile Enterprise
      cross markcheck markcheck markcheck markcheck markcheck markcheck mark
      + + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
      + + + +Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. + +If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + +ADMX Info: +- GP English name: *Configure Connected User Experiences and Telemetry* +- GP name: *TelemetryProxy* +- GP element: *TelemetryProxyName* +- GP path: *Data Collection and Preview Builds* +- GP ADMX file name: *DataCollection.admx* + + + +
      + +Footnote: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. + + + diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 7001fe088f..e806cf4108 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -93,7 +93,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index e96eb5340c..a6403f3b61 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -1334,7 +1334,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 80185310fd..d1447a5e6c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1770,7 +1770,7 @@ For Quality Updates, this policy specifies the timing before transitioning from Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. @@ -1833,7 +1833,7 @@ For Feature Updates, this policy specifies the timing before transitioning from Value type is integer. Default value is 7 days. -Supported value range: 0 - 30. +Supported value range: 2 - 30. If you disable or do not configure this policy, the default behaviors will be used. @@ -3576,6 +3576,7 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index ead54a0bfb..09b30b65c0 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 03/12/2018 +ms.date: 10/31/2018 --- # Policy CSP - UserRights @@ -14,7 +14,7 @@ ms.date: 03/12/2018
      -User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things, like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. +User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork. Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups. @@ -40,7 +40,7 @@ Here is an example syncml for setting the user right BackupFilesAndDirectories f ``` -Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator +Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator. - Grant an user right to Administrators group via SID: ``` @@ -49,17 +49,17 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s - Grant an user right to multiple groups (Administrators, Authenticated Users) via SID ``` - *S-1-5-32-544*S-1-5-11 + *S-1-5-32-544*S-1-5-11 ``` - Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings ``` - *S-1-5-32-544Authenticated Users + *S-1-5-32-544Authenticated Users ``` - Grant an user right to multiple groups (Authenticated Users, Administrators) via strings ``` - Authenticated UsersAdministrators + Authenticated UsersAdministrators ``` - Empty input indicates that there are no users configured to have that user right diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md index 25ff1652b7..d8a9e0a74b 100644 --- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md +++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md @@ -1430,7 +1430,8 @@ Footnote: - 2 - Added in Windows 10, version 1703. - 3 - Added in Windows 10, version 1709. - 4 - Added in Windows 10, version 1803. -- 5 - Added in the next major release of Windows 10. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in the next major release of Windows 10. diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index 07a7954820..e75a0cf6de 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -286,7 +286,7 @@ ADMX Info: -Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. +Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md index d1f0306ec9..e9e1339f46 100644 --- a/windows/client-management/mdm/policy-ddf-file.md +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -1420,12 +1420,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -1653,11 +1653,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -10603,12 +10603,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -10862,11 +10862,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -22414,12 +22414,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -22647,11 +22647,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -25635,7 +25635,7 @@ Related policy: - EnableSystemGuard + ConfigureSystemGuardLaunch @@ -27217,7 +27217,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. + You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. Related policy: PreventUsersFromTurningOnBrowserSyncing 0 (default) = allow syncing, 2 = disable syncing @@ -33474,7 +33474,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - + This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. @@ -33862,7 +33862,7 @@ If you disable or do not configure this policy (recommended), users will be able Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. +Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. @@ -34352,7 +34352,7 @@ The options are: No Action Lock Workstation Force Logoff - Disconnect if a Remote Desktop Services session + Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. @@ -35374,7 +35374,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. +• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. @@ -44745,7 +44745,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. @@ -47064,11 +47064,11 @@ Because of these factors, users do not usually need this user right. Warning: If - - - - - + + + + + ]]> @@ -49724,12 +49724,12 @@ Related policy: If enabled, you must include URLs to the pages, separating multiple pages using angle brackets in the following format: - <support.contoso.com><support.microsoft.com> + If disabled or not configured, the webpages specified in App settings loads as the default Start pages. Version 1703 or later: -If you do not want to send traffic to Microsoft, enable this policy and use the <about:blank> value, which honors domain- and non-domain-joined devices, when it is the only configured URL. +If you do not want to send traffic to Microsoft, enable this policy and use the value, which honors domain- and non-domain-joined devices, when it is the only configured URL. Version 1809: If enabled, and you select either Start page, New Tab page, or previous page in the Configure Open Microsoft Edge With policy, Microsoft Edge ignores the Configure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages, Microsoft Edge uses the Configure Start Pages policy. @@ -49983,11 +49983,11 @@ If disabled or not configured, extensions defined as part of this policy get ign Default setting: Disabled or not configured Related policies: Allow Developer Tools Related Documents: -- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) -- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business) -- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy) -- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) -- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-apps-windows) +- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn) +- How to manage apps you purchased from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/intune/windows-store-for-business) +- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/intune/apps-deploy) +- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) +- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/intune/lob-apps-windows) @@ -55084,7 +55084,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor 0 - You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. + You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user. Related policy: PreventUsersFromTurningOnBrowserSyncing 0 (default) = allow syncing, 2 = disable syncing @@ -62093,7 +62093,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal. - + This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal. @@ -62491,7 +62491,7 @@ If you disable or do not configure this policy (recommended), users will be able Notes If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password. -Disabling the Administrator account can become a maintenance issue under certain circumstances. +Disabling the Administrator account can become a maintenance issue under certain circumstances. Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled. @@ -63024,7 +63024,7 @@ The options are: No Action Lock Workstation Force Logoff - Disconnect if a Remote Desktop Services session + Disconnect if a Remote Desktop Services session If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session. @@ -64127,7 +64127,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: -• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. +• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. • Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. @@ -74444,7 +74444,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the - Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. + Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist. 1) The access token that is being impersonated is for this user. 2) The user, in this logon session, created the access token by logging on to the network with explicit credentials. 3) The requested level is less than Impersonate, such as Anonymous or Identify. diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index bfb5dfd307..77dea602cf 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -36,12 +36,14 @@ The following diagram shows the Reboot configuration service provider management

      The supported operation is Get.

      **Schedule/Single** -

      This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

      +

      This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required.
      +Example to configure: 2018-10-25T18:00:00

      The supported operations are Get, Add, Replace, and Delete.

      **Schedule/DailyRecurrent** -

      This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.

      +

      This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
      +Example to configure: 2018-10-25T18:00:00

      The supported operations are Get, Add, Replace, and Delete.

      diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 6a45bb2c9a..3d49884cd8 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -98,7 +98,7 @@ This node will return the following status. All OMA DM errors are listed [here]( **LockAndRecoverPIN** Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work. -Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/passportforwork-csp#tenantid-policies-enablepinrecovery) policy is set on the client. +Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/passportforwork-csp#tenantid-policies-enablepinrecovery) policy is set on the client. **NewPINValue** diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index a8ba842ba7..4d4507311e 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -54,7 +54,7 @@ Supported operations are Get and Replace. ## Related topics -[Set up Take a Test on multiple PCs](https://technet.microsoft.com/en-us/edu/windows/take-a-test-multiple-pcs) +[Set up Take a Test on multiple PCs](https://technet.microsoft.com/edu/windows/take-a-test-multiple-pcs) [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index ef549e1753..f434251f74 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -6,13 +6,16 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 02/01/2018 +ms.date: 10/02/2018 --- # UEFI CSP -The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803. +The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809. + +> [!Note] +> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). The following diagram shows the UEFI CSP in tree format. @@ -23,62 +26,102 @@ The following list describes the characteristics and parameters. **./Vendor/MSFT/Uefi** Root node. -**UefiDeviceIdentifier** -Retrieves XML from UEFI which describes the device identifier. +**DeviceIdentifier** +Retrieves XML from UEFI that describes the device identifier. Supported operation is Get. -**IdentityInfo** -Node for provisioned signers operations. - - -**IdentityInfo/Current** -Retrieves XML from UEFI which describes the current UEFI identity information. +**Identity** +Node for identity certificate operations. Supported operation is Get. -**IdentityInfo/Apply** -Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. - -Supported operation is Replace. - -**IdentityInfo/ApplyResult** -Retrieves XML describing the results of previous ApplyIdentityInfo operation. +**Identity/Current** +Retrieves XML from UEFI that describes the current UEFI identity certificate information. Supported operation is Get. -**AuthInfo** -Node for permission information operations. +**Identity/Apply** +Applies an identity information package to UEFI. Input is the signed package in base64 encoded format. -**AuthInfo/Current** -Retrieves XML from UEFI which describes the current UEFI permission/authentication information. +Value type is Base64. Supported operation is Replace. + +**Identity/Result** +Retrieves the binary result package of the previous Identity/Apply operation. Supported operation is Get. -**AuthInfo/Apply** -Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format. +**Permissions** +Node for settings permission operations.. -Supported operation is Replace. - -**AuthInfo/ApplyResult** -Retrieves XML describing the results of previous ApplyAuthInfo operation. +**Permissions/Current** +Retrieves XML from UEFI that describes the current UEFI settings permissions. Supported operation is Get. -**Config** -Node for device configuration +**Permissions/Apply** +Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. -**Config/Current** -Retrieves XML from UEFI which describes the current UEFI configuration. +Value type is Base64. Supported operation is Replace. + +**Permissions/Result** +Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission. Supported operation is Get. -**Config/Apply** -Apply a configuration package to UEFI. Input is the signed package in base64 encoded format. +**Settings** +Node for device settings operations. -Supported operation is Replace. - -**Config/ApplyResult** -Retrieves XML describing the results of previous ApplyConfig operation. +**Settings/Current** +Retrieves XML from UEFI that describes the current UEFI settings. Supported operation is Get. + +**Settings/Apply** +Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. + +Value type is Base64. Supported operation is Replace. + +**Settings/Result** +Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting. + +Supported operation is Get. + +**Identity2** +Node for identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart. + +**Identity2/Apply** +Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session. + +Value type is Base64. Supported operation is Replace. + +**Identity2/Result** +Retrieves the binary result package of the previous Identity2/Apply operation. + +Supported operation is Get. + +**Permissions2** +Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart. + +**Permissions2/Apply** +Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session. + +Value type is Base64. Supported operation is Replace. + +**Permissions2/Result** +Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission. + +Supported operation is Get. + +**Settings2** +Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart. + +**Settings2/Apply** +Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session. + +Value type is Base64. Supported operation is Replace. + +**Settings2/Result** +Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting. + +Supported operation is Get. \ No newline at end of file diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index de67ae71b4..ddfe446519 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 02/01/2018 +ms.date: 10/02/2018 --- # UEFI DDF file @@ -16,7 +16,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Uefi** Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download). -The XML below is the current version for this CSP. +The XML below is for Windows 10, version 1809. ``` syntax @@ -32,6 +32,7 @@ The XML below is the current version for this CSP. + UEFI Firmware Configuration Service Provider. @@ -46,12 +47,12 @@ The XML below is the current version for this CSP.       - UefiDeviceIdentifier + DeviceIdentifier - Retrieves XML from UEFI which describes the device identifier. + Retrieves XML from UEFI which contains the device identifier. @@ -61,21 +62,18 @@ The XML below is the current version for this CSP. - - - text/plain - IdentityInfo + Identity - Provisioned signers + Identity certificate operations. @@ -95,7 +93,7 @@ The XML below is the current version for this CSP. - Retrieves XML from UEFI which describes the current UEFI identity information + Retrieves XML from UEFI which describes the current UEFI identity certificate information. @@ -132,14 +130,14 @@ The XML below is the current version for this CSP. - ApplyResult + Result - Retrieves XML describing the results of previous ApplyIdentityInfo operation. + Retrieves the binary result package of the previous Identity/Apply operation. - + @@ -148,18 +146,18 @@ The XML below is the current version for this CSP. - text/plain +       - AuthInfo + Permissions - Permission Information + Settings permission operations. @@ -179,7 +177,7 @@ The XML below is the current version for this CSP. - Retrieves XML from UEFI which describes the current UEFI permission/authentication information. + Retrieves XML from UEFI which describes the current UEFI settings permissions. @@ -200,7 +198,7 @@ The XML below is the current version for this CSP. - Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format. + Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. @@ -216,14 +214,14 @@ The XML below is the current version for this CSP. - ApplyResult + Result - Retrieves XML describing the results of previous ApplyAuthInfo operation. + Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission. - + @@ -232,18 +230,18 @@ The XML below is the current version for this CSP. - text/plain + - Config + Settings - Device Configuration + Device settings operations. @@ -263,7 +261,7 @@ The XML below is the current version for this CSP. - Retrieves XML from UEFI which describes the current UEFI configuration. + Retrieves XML from UEFI which describes the current UEFI settings. @@ -284,7 +282,7 @@ The XML below is the current version for this CSP. - Apply a configuration package to UEFI. Input is the signed package in base64 encoded format. + Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. @@ -300,14 +298,14 @@ The XML below is the current version for this CSP. - ApplyResult + Result - Retrieves XML describing the results of previous ApplyConfig operation. + Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting. - + @@ -316,7 +314,196 @@ The XML below is the current version for this CSP. - text/plain + + + + + + + Identity2 + + + + + Identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart. + + + + + + + + + + + + + + + Apply + + + + + Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session. + + + + + + + + + + + + + + + + Result + + + + + Retrieves the binary result package of the previous Identity2/Apply operation. + + + + + + + + + + + + + + + + + Permissions2 + + + + + Settings permission operations. Alternate endpoint for sending a second permission package without an OS restart. + + + + + + + + + + + + + + + Apply + + + + + Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session. + + + + + + + + + + + + + + + + Result + + + + + Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission. + + + + + + + + + + + + + + + + + Settings2 + + + + + Device settings operations. Alternate endpoint for sending a second settings package without an OS restart. + + + + + + + + + + + + + + + Apply + + + + + Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session. + + + + + + + + + + + + + + + + Result + + + + + Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting. + + + + + + + + + + + diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 03b111b649..be981913ce 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -17,7 +17,7 @@ Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy confi ## Background -In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/en-us/library/cc753471(v=ws.10).aspx). +In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/library/cc753471(v=ws.10).aspx). ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: @@ -28,7 +28,7 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. -Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies). +Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#admx-backed-policies). ## Video walkthrough @@ -72,7 +72,7 @@ Note that most Group Policies are a simple Boolean type. For a Boolean Group Pol > [!IMPORTANT] > Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc. -For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](https://msdn.microsoft.com/en-us/library/aa373476(v=vs.85).aspx). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](https://msdn.microsoft.com/en-us/library/dn606004(v=vs.85).aspx)). +For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](https://msdn.microsoft.com/library/aa373476(v=vs.85).aspx). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](https://msdn.microsoft.com/library/dn606004(v=vs.85).aspx)). For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you will find the following occurrences: @@ -176,7 +176,7 @@ The following SyncML examples describe how to set a MDM policy that is defined b ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 - <disabled/> + @@ -202,7 +202,8 @@ The following SyncML examples describe how to set a MDM policy that is defined b (None) **Request SyncML** -``` + +```XML @@ -220,7 +221,8 @@ The following SyncML examples describe how to set a MDM policy that is defined b ``` **Response SyncML** -``` + +```XML 2 1 @@ -340,7 +342,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList - <enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exeC:\QuickPatch\TEST\foo.exeC:\QuickPatch\TEST\bar.exe"/> + @@ -384,7 +386,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange - <Enabled/><Data id="SecondaryHomePagesList" value="http://name1http://name1http://name2http://name2"/> + @@ -416,7 +418,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck - <Enabled/> + @@ -470,8 +472,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType - <enabled/> - <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> + + @@ -507,8 +509,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval - <enabled/> - <data id="Streaming_Reestablishment_Interval_Prompt" value="4"/> + + @@ -560,8 +562,8 @@ Variations of the `list` element are dictated by attributes. These attributes ar ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses - <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/> - <Data id="DeviceInstall_Classes_Deny_List" value="1deviceId12deviceId2"/> + + diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index 51a11541d3..79be87ff7f 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -1384,7 +1384,7 @@ This topic shows the OMA DM device description framework (DDF) for the **VPN** c ## Related topics -[VPN configurtion service provider](vpn-csp.md) +[VPN configuration service provider](vpn-csp.md)   diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index e7dc68df1b..4bef8b6e80 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -603,41 +603,41 @@ Profile example ./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML - <VPNProfile> - <ProfileName>VPN_Demo</ProfileName> - <NativeProfile> - <Servers>VPNServer.contoso.com</Servers> - <NativeProtocolType>Automatic</NativeProtocolType> - <Authentication> - <UserMethod>Eap</UserMethod> - <Eap> - <Configuration> -<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig> - </Configuration> - </Eap> - </Authentication> - <RoutingPolicyType>SplitTunnel</RoutingPolicyType> - </NativeProfile> - <DomainNameInformation> - <DomainName>.contoso.com</DomainName> - <DNSServers>10.5.5.5</DNSServers> - </DomainNameInformation> - <TrafficFilter> - <App>%ProgramFiles%\Internet Explorer\iexplore.exe</App> - </TrafficFilter> - <TrafficFilter> - <App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App> - </TrafficFilter> - <Route> - <Address>10.0.0.0</Address> - <PrefixSize>8</PrefixSize> - </Route> - <Route> - <Address>25.0.0.0</Address> - <PrefixSize>8</PrefixSize> - </Route> - <RememberCredentials>true</RememberCredentials> - </VPNProfile> + + VPN_Demo + + VPNServer.contoso.com + Automatic + + Eap + + + 25 0 0 0 25 false true false 13 false false false false false Unknown Key Usage 1.3.6.1.4.1.311.87 Unknown Key Usage false false false false + + + + SplitTunnel + + + .contoso.com + 10.5.5.5 + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + +
      10.0.0.0
      + 8 +       + +
      25.0.0.0
      + 8 +       + true +       @@ -1166,7 +1166,7 @@ PluginPackageFamilyName ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration - <pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema> + auto443
      172.10.10.0
      24      .vpnbackend.com172.10.10.11       ``` diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 6c582f4933..87b64762f7 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -347,7 +347,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro testserver1.contoso.com;testserver2.contoso..com JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy - <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema> + true
      192.168.0.0
      diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index cce5885ca9..d19d79eaec 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -7,13 +7,13 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 06/28/2018 +ms.date: 10/24/2018 --- # WiFi CSP > [!WARNING] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +> Some information relates to pre-released products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range. @@ -23,7 +23,7 @@ Programming considerations: - Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. - The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. -- The <name>*name\_goes\_here*</name><SSIDConfig> must match <SSID><name> *name\_goes\_here*</name></SSID>. +- The *name\_goes\_here* must match *name\_goes\_here*. - For the WiFi CSP, you cannot use the Replace command unless the node already exists. - Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. @@ -41,10 +41,10 @@ Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is Supported operation is Get. -***<SSID>*** +****** Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. -SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, <LocURI>./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml</LocURI>. +SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, ./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml. The supported operations are Add, Get, Delete, and Replace. @@ -130,7 +130,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor chr - <?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> + MyNetwork412D4D534654574C414EMyNetworkfalseESSmanualWPA2AEStrueuser2500025truetruefalse26falsefalsefalsefalsefalse @@ -215,7 +215,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetw chr - <?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA> InsertCertThumbPrintHere </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> + MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index d09ff0684c..71a6c46d45 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -102,7 +102,7 @@ The XML below is for Windows 10, version 1809. XML describing the network configuration and follows Windows WLAN_profile schema. - Link to schema: http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx + Link to schema: http://msdn.microsoft.com/library/windows/desktop/ms707341(v=vs.85).aspx diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 8c6f58a89e..eb942f3643 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -205,136 +205,136 @@ The following example shows an ADMX file in SyncML format: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01 - <policyDefinitions revision="1.0" schemaVersion="1.0"> - <categories> - <category name="ParentCategoryArea"/> - <category name="Category1"> - <parentCategory ref="ParentCategoryArea" /> - </category> - <category name="Category2"> - <parentCategory ref="ParentCategoryArea" /> - </category> - <category name="Category3"> - <parentCategory ref="Category2" /> - </category> - </categories> - <policies> - <policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - <elements> - <text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" /> - <text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" /> - </elements> - </policy> - <policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - </policy> - <policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <enum id="L_PolicySipCompression" valueName="sipcompression"> - <item displayName="$(string.L_SipCompressionVal0)"> - <value> - <decimal value="0" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal1)"> - <value> - <decimal value="1" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal2)"> - <value> - <decimal value="2" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal3)"> - <value> - <decimal value="3" /> - </value> - </item> - </enum> - </elements> - </policy> - <policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun"> - <parentCategory ref="Category1" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - </policy> - <policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category2" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" /> - </elements> - </policy> - <policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category2" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <enum id="L_PolicySipCompression" valueName="sipcompression"> - <item displayName="$(string.L_SipCompressionVal0)"> - <value> - <decimal value="0" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal1)"> - <value> - <decimal value="1" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal2)"> - <value> - <decimal value="2" /> - </value> - </item> - <item displayName="$(string.L_SipCompressionVal3)"> - <value> - <decimal value="3" /> - </value> - </item> - </enum> - </elements> - </policy> - <policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun"> - <parentCategory ref="Category3" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <enabledValue> - <decimal value="1" /> - </enabledValue> - <disabledValue> - <decimal value="0" /> - </disabledValue> - </policy> - <policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp"> - <parentCategory ref="Category3" /> - <supportedOn ref="windows:SUPPORTED_Windows7" /> - <elements> - <decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" /> - </elements> - </policy> - </policies> - </policyDefinitions> + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -423,7 +423,7 @@ The following examples describe how to set an ADMX-ingested app policy. ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode - <enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/> + @@ -457,7 +457,7 @@ The following examples describe how to set an ADMX-ingested app policy. ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode - <disabled/> + diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 641b29babc..baade346a3 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -24,7 +24,7 @@ The following diagram shows the WiredNetwork configuration service provider in t Root node. **LanXML** -Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx. +Optional. XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx. Supported operations are Add, Get, Replace, and Delete. Value type is string. diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index 0a156256a0..1fbdc8f4c3 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -54,7 +54,7 @@ The XML below is the current version for this CSP. - XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx @@ -123,7 +123,7 @@ The XML below is the current version for this CSP. - XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/en-us/library/windows/desktop/aa816366(v=vs.85).aspx + XML describing the wired network configuration and follows the LAN_profile schemas https://msdn.microsoft.com/library/windows/desktop/aa816366(v=vs.85).aspx diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 05490b9d7c..55704baa15 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -265,7 +265,7 @@ For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.micro [**Win32\_PageFileSetting**](https://msdn.microsoft.com/library/windows/hardware/aa394245) | [**Win32\_ParallelPort**](https://msdn.microsoft.com/library/windows/hardware/aa394247) | [**Win32\_PCMCIAController**](https://msdn.microsoft.com/library/windows/hardware/aa394251) | -[**Win32\_PhysicalMedia**](https://msdn.microsoft.com/en-us/library/windows/hardware/aa394346) | +[**Win32\_PhysicalMedia**](https://msdn.microsoft.com/library/windows/hardware/aa394346) | [**Win32\_PhysicalMemory**](https://msdn.microsoft.com/library/windows/hardware/aa394347) | ![cross mark](images/checkmark.png) [**Win32\_PnPDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394352) | [**Win32\_PnPEntity**](https://msdn.microsoft.com/library/windows/hardware/aa394353) | diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md index 92ca81cf5c..0fd57c2d06 100644 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ b/windows/client-management/reset-a-windows-10-mobile-device.md @@ -65,7 +65,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th ## Reset using the UI -1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** +1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** 2. When you tap **Reset your phone**, the dialog box will present an option to **Also remove provisioned content** if: diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md new file mode 100644 index 0000000000..349f5fce9f --- /dev/null +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -0,0 +1,280 @@ +--- +title: Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device +description: Learn how to troubleshoot Stop error 7B or Inaccessible_Boot_Device +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/11/2018 +--- + +# Advanced troubleshooting for Stop error 7B or Inaccessible_Boot_Device + +This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. + +## Causes of the Inaccessible_Boot_Device Stop error + +Any one of the following factors may cause the stop error: + +* Missing, corrupted, or misbehaving filter drivers that are related to the storage stack + +* File system corruption + +* Changes to the storage controller mode or settings in the BIOS + +* Using a different storage controller than the one that was used when Windows was installed + +* Moving the hard disk to a different computer that has a different controller + +* A faulty motherboard or storage controller, or faulty hardware + +* In unusual cases: the failure of the TrustedInstaller service to commit newly installed updates because of Component Based Store corruptions + +* Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) + +## Troubleshoot this error + +Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. + +1. Start the system by using [the installation media for the installed version of Windows](https://support.microsoft.com/help/15088). + +2. On the **Install Windows** screen, select **Next** > **Repair your computer** . + +3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . + +### Verify that the boot disk is connected and accessible + +#### Step 1 + + At the WinRE Command prompt, run `diskpart`, and then run `list disk`. + +A list of the physical disks that are attached to the computer should be displayed and resemble the following display: + +``` + Disk ### Status Size Free Dyn Gpt + + -------- ------------- ------- ------- --- --- + + Disk 0 Online **size* GB 0 B * +``` + +If the computer uses a Unified Extensible Firmware Interface (UEFI) startup interface, there will be an asterisk (*) in the **GPT** column. + +If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. + +#### Step 2 + +If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`. + +`list vol` generates an output that resembles the following display: + +``` + Volume ### Ltr Label Fs Type Size Status Info + + ---------- --- ----------- ----- ---------- ------- --------- -------- + + Volume 0 Windows RE NTFS Partition 499 MB Healthy + + Volume 1 C OSDisk NTFS Partition 222 GB Healthy Boot + + Volume 2 SYSTEM FAT32 Partition 499 MB Healthy System +``` + +>[!NOTE] +>If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. + +### Verify the integrity of Boot Configuration Database + +Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt. + +To verify the BCD entries: + +1. Examine the **Windows Boot Manager** section that has the **{bootmgr}** identifier. Make sure that the **device** and **path** entries point to the correct device and boot loader file. + + An example output if the computer is UEFI-based: + + ``` + device partition=\Device\HarddiskVolume2 + path \EFI\Microsoft\Boot\bootmgfw.efi + ``` + + An example output if the machine is BIOS based: + ``` + Device partition=C: + ``` + >[!NOTE] + >This output may not contain a path. + +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. + + >[!NOTE] + >If the computer is UEFI-based, the **bootmgr** and **winload** entires under **{default}** will contain an **.efi** extension. + + ![bcdedit](images/screenshot1.png) + +If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that is named **bcdbackup** . To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup** . + +After the backup is completed, run the following command to make the changes: + +
      bcdedit /set *{identifier}* option value
      + +For example, if the device under {default} is wrong or missing, run the following command to set it: `bcdedit /set {default} device partition=C:` + + If you want to re-create the BCD completely, or if you get a message that states that "**The boot configuration data store could not be opened. The system could not find the file specified,** " run `bootrec /rebuildbcd`. + +If the BCD has the correct entries, check whether the **winload** and **bootmgr** entries exist in the correct location per the path that is specified in the **bcdedit** command. By default, **bootmgr** in the BIOS partition will be in the root of the **SYSTEM** partition. To see the file, run `Attrib -s -h -r`. + +If the files are missing, and you want to rebuild the boot files, follow these steps: + +1. Copy all the contents under the **SYSTEM** partition to another location. Alternatively, you can use the command prompt to navigate to the OS drive, create a new folder, and then copy all the files and folders from the **SYSTEM** volume, as follows: + +``` +D:\> Mkdir BootBackup +R:\> Copy *.* D:\BootBackup +``` + +2. If you are using Windows 10, or if you are troubleshooting by using a Windows 10 ISO at the Windows Pre-Installation Environment command prompt, you can use the **bcdboot** command to re-create the boot files, as follows: + + ```cmd + Bcdboot <**OSDrive* >:\windows /s <**SYSTEMdrive* >: /f ALL + ``` + + For example: if we assign the ,System Drive> (WinRE drive) the letter R and the is the letter D, this command would be the following: + + ```cmd + Bcdboot D:\windows /s R: /f ALL + ``` + + >[!NOTE] + >The **ALL** part of the **bcdboot** command writes all the boot files (both UEFI and BIOS) to their respective locations. + +If you do not have a Windows 10 ISO, you must format the partition and copy **bootmgr** from another working computer that has a similar Windows build. To do this, follow these steps: + +1. Start **Notepad** . + +2. Press Ctrl+O. + +3. Navigate to the system partition (in this example, it is R). + +4. Right-click the partition, and then format it. + +### Troubleshooting if this issue occurs after a Windows Update installation + +Run the following command to verify the Windows update installation and dates: + +```cmd +Dism /Image:: /Get-packages +``` + +After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages: + +![Dism output](images/pendingupdate.png) + +1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer. + + ![Dism output](images/revertpending.png) + +2. Navigate to ***OSdriveLetter* :\Windows\WinSxS** , and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**. + +3. To revert the registry changes, type **regedit** at the command prompt to open **Registry Editor**. + +4. Select **HKEY_LOCAL_MACHINE**, and then go to **File** > **Load Hive**. + +5. Navigate to **OSdriveLetter:\Windows\System32\config**, select the file that is named **COMPONENT** (with no extension), and then select **Open**. When you are prompted, enter the name **OfflineComponentHive** for the new hive + + ![Load Hive](images/loadhive.png) + +6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key. + +7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**. + + ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png) + +8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter* :\Windows\System32\config**, select the file that is named **SYSTEM** (with no extension), and then select **Open** . When you are prompted, enter the name **OfflineSystemHive** for the new hive. + +9. Expand **HKEY_LOCAL_MACHINE\OfflineSystemHive**, and then select the **Select** key. Check the data for the **Default** value. + +10. If the data in **HKEY_LOCAL_MACHINE\OfflineSystemHive\Select\Default** is **1** , expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001**. If it is **2**, expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet002**, and so on. + +11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key. + +### Verifying boot critical drivers and services + +#### Check services + +1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.) + +2. Expand **Services**. + +3. Make sure that the following registry keys exist under **Services**: + + * ACPI + + * DISK + + * VOLMGR + + * PARTMGR + + * VOLSNAP + + * VOLUME + +If these keys exist, check each one to make sure that it has a value that is named **Start** and that it is set to **0**. If not, set the value to **0**. + +If any of these keys do not exist, you can try to replace the current registry hive by using the hive from **RegBack**. To do this, run the following commands: + +```cmd +cd OSdrive:\Windows\System32\config +ren SYSTEM SYSTEM.old +copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\ +``` + +#### Check upper and lower filter drivers + +Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: + +1. Expand **HKEY_LOCAL_MACHINE\OfflineHive\ControlSet001\Control**. + +2. Look for any **UpperFilters** or **LowerFilters** entries. + + >[!NOTE] + >These filters are mainly related to storage. After you expand the **Control** key in the registry, you can search for **UpperFilters** and **LowerFilters**. + + The following are some of the different registry entries in which you may find these filter drivers. These entries are located under **ControlSet** and are designated as **Default** : + +\Control\Class\\{4D36E96A-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{4D36E967-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{4D36E97B-E325-11CE-BFC1-08002BE10318} + +\Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F} + +![Registry](images/controlset.png) + +If an **UpperFilters** or **LowerFilters** entry is non-standard (for example, it is not a Windows default filter driver, such as PartMgr), remove the entry by double-clicking it in the right pane, and then deleting only that value. + +>[!NOTE] +>There could be multiple entries. + +The reason that these entries may affect us is because there may be an entry in the **Services** branch that has a START type set to 0 or 1 (indicating that it is loaded at the Boot or Automatic part of the boot process). Also, either the file that is referred to is missing or corrupted, or it may be named differently than what is listed in the entry. + +>[!NOTE] +>If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. + +### Running SFC and Chkdsk + + If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt: + +* `chkdsk /f /r OsDrive:` + + ![Check disk](images/check-disk.png) + +* `sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows` + + ![SFC scannow](images/sfc-scannow.png) + diff --git a/windows/client-management/troubleshoot-networking.md b/windows/client-management/troubleshoot-networking.md new file mode 100644 index 0000000000..6865732607 --- /dev/null +++ b/windows/client-management/troubleshoot-networking.md @@ -0,0 +1,20 @@ +--- +title: Advanced troubleshooting for Windows networking issues +description: Learn how to troubleshoot networking issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: +--- + +# Advanced troubleshooting for Windows networking issues + +In these topics, you will learn how to troubleshoot common problems related to Windows networking. + +- [Advanced troubleshooting Wireless Network](advanced-troubleshooting-wireless-network-connectivity.md) +- [Data collection for troubleshooting 802.1x authentication](data-collection-for-802-authentication.md) +- [Advanced troubleshooting 802.1x authentication](advanced-troubleshooting-802-authentication.md) +- [Advanced troubleshooting for TCP/IP issues](troubleshoot-tcpip.md) diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md new file mode 100644 index 0000000000..1ab9a027c6 --- /dev/null +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -0,0 +1,177 @@ +--- +title: Advanced troubleshooting for Stop error or blue screen error issue +description: Learn how to troubleshoot Stop error or blue screen issues. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/19/2018 +--- + +# Advanced troubleshooting for Stop error or blue screen error issue + +>[!NOTE] +>If you're not a support agent or IT professional, you'll find more helpful information about Stop error ("blue screen") messages in [Troubleshoot blue screen errors](https://support.microsoft.com/help/14238). + + +## What causes Stop errors? + +A Stop error is displayed as a blue screen that contains the name of the faulty driver, such as any of the following example drivers: + +- atikmpag.sys +- igdkmd64.sys +- nvlddmkm.sys + +There is no simple explanation for the cause of Stop errors (also known as blue screen errors or bug check errors). Many different factors can be involved. However, various studies indicate that Stop errors usually are not caused by Microsoft Windows components. Instead, these errors are generally related to malfunctioning hardware drivers or drivers that are installed by third-party software. This includes video cards, wireless network cards, security programs, and so on. + +Our analysis of the root causes of crashes indicates the following: + +- 70 percent are caused by third-party driver code +- 10 percent are caused by hardware issues +- 5 percent are caused by Microsoft code +- 15 percent have unknown causes (because the memory is too corrupted to analyze) + +## General troubleshooting steps + +To troubleshoot Stop error messages, follow these general steps: + +1. Review the Stop error code that you find in the event logs. Search online for the specific Stop error codes to see whether there are any known issues, resolutions, or workarounds for the problem. +2. As a best practice, we recommend that you do the following: + + a. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: + + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows Server 2016 and Windows 10, version 1607](https://support.microsoft.com/help/4000825) + - [Windows 10, version 1511](https://support.microsoft.com/help/4000824) + - [Windows Server 2012 R2 and Windows 8.1](https://support.microsoft.com/help/4009470) + - [Windows Server 2008 R2 and Windows 7 SP1](https://support.microsoft.com/help/4009469) + + b. Make sure that the BIOS and firmware are up-to-date. + + c. Run any relevant hardware and memory tests. + +3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions. + +4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections. + +5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10 to 15 percent free disk space. + +6. Contact the respective hardware or software vendor to update the drivers and applications in the following scenarios: + + - The error message indicates that a specific driver is causing the problem. + - You are seeing an indication of a service that is starting or stopping before the crash occurred. In this situation, determine whether the service behavior is consistent across all instances of the crash. + - You have made any software or hardware changes. + + >[!NOTE] + >If there are no updates available from a specific manufacturer, it is recommended that you disable the related service. + > + >To do this, see [How to perform a clean boot in Windows](https://support.microsoft.com/help/929135) + > + >You can disable a driver by following the steps in [How to temporarily deactivate the kernel mode filter driver in Windows](https://support.microsoft.com/help/816071). + > + >You may also want to consider the option of rolling back changes or reverting to the last-known working state. For more information, see [Roll Back a Device Driver to a Previous Version](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732648(v=ws.11)). + +### Memory dump collection + +To configure the system for memory dump files, follow these steps: + +1. [Download DumpConfigurator tool](https://codeplexarchive.blob.core.windows.net/archive/projects/WinPlatTools/WinPlatTools.zip). +2. Extract the .zip file and navigate to **Source Code** folder. +3. Run the tool DumpConfigurator.hta, and then select **Elevate this HTA**. +3. Select **Auto Config Kernel**. +4. Restart the computer for the setting to take effect. +5. Stop and disable Automatic System Restart Services (ASR) to prevent dump files from being written. +6. If the server is virtualized, disable auto reboot after the memory dump file is created. This lets you take a snapshot of the server in-state and also if the problem recurs. + +The memory dump file is saved at the following locations. + +| Dump file type | Location | +|----------------|----------| +|(none) | %SystemRoot%\MEMORY.DMP (inactive, or greyed out) | +|Small memory dump file (256kb) | %SystemRoot%\Minidump | +|Kernel memory dump file | %SystemRoot%\MEMORY.DMP | +| Complete memory dump file | %SystemRoot%\MEMORY.DMP | +| Automatic memory dump file | %SystemRoot%\MEMORY.DMP | +| Active memory dump file | %SystemRoot%\MEMORY.DMP | + +You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. For more information, see the following video: + +>[!video https://www.youtube.com/embed/xN7tOfgNKag] + +More information on how to use Dumpchk.exe to check your dump files: + +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) + +### Pagefile Settings + +- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) +- [How to determine the appropriate page file size for 64-bit versions of Windows](https://support.microsoft.com/help/2860880) +- [How to generate a kernel or a complete memory dump file in Windows Server 2008 and Windows Server 2008 R2](https://support.microsoft.com/help/969028) + +### Memory dump analysis + +Finding the root cause of the crash may not be easy. Hardware problems are especially difficult to diagnose because they may cause erratic and unpredictable behavior that can manifest itself in a variety of symptoms. + +When a Stop error occurs, you should first isolate the problematic components, and then try to cause them to trigger the Stop error again. If you can replicate the problem, you can usually determine the cause. + +You can use the tools such as Windows Software Development KIT (SDK) and Symbols to diagnose dump logs. + +## Video resources + +The following videos illustrate various troubleshooting techniques on analyzing dump file. + +- [Analyze Dump File](https://www.youtube.com/watch?v=s5Vwnmi_TEY) + +- [Installing Debugging Tool for Windows (x64 and x86)](https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-Building-your-USB-thumbdrive/player#time=22m29s:paused) + +- [Debugging kernel mode crash memory dumps](https://channel9.msdn.com/Shows/Defrag-Tools/DefragTools-137-Debugging-kernel-mode-dumps) + +- [Special Pool](https://www.youtube.com/watch?v=vHXYS9KdU1k) + + +## Advanced troubleshooting using Driver Verifier + +We estimate that about 75 percent of all Stop errors are caused by faulty drivers. The Driver Verifier tool provides several methods to help you troubleshoot. These include running drivers in an isolated memory pool (without sharing memory with other components), generating extreme memory pressure, and validating parameters. If the tool encounters errors in the execution of driver code, it proactively creates an exception to let that part of the code be examined further. + +>[!WARNING] +>Driver Verifier consumes lots of CPU and can slow down the computer significantly. You may also experience additional crashes. Verifier disables faulty drivers after a Stop error occurs, and continues to do this until you can successfully restart the system and access the desktop. You can also expect to see several dump files created. +> +>Don’t try to verify all the drivers at one time. This can degrade performance and make the system unusable. This also limits the effectiveness of the tool. + +Use the following guidelines when you use Driver Verifier: + +- Test any “suspicious” drivers (drivers that were recently updated or that are known to be problematic). +- If you continue to experience non-analyzable crashes, try enabling verification on all third-party and unsigned drivers. +- Enable concurrent verification on groups of 10 to 20 drivers. +- Additionally, if the computer cannot boot into the desktop because of Driver Verifier, you can disable the tool by starting in Safe mode. This is because the tool cannot run in Safe mode. + +For more information, see [Driver Verifier](https://docs.microsoft.com/windows-hardware/drivers/devtest/driver-verifier). + +## Common Windows Stop errors + +This section doesn't contain a list of all error codes, but since many error codes have the same potential resolutions, your best bet is to follow the steps below to troubleshoot your error. + +The following table lists general troubleshooting procedures for common Stop error codes. + +Stop error message and code | Mitigation +--- | --- +VIDEO_ENGINE_TIMEOUT_DETECTED or VIDEO_TDR_TIMEOUT_DETECTED
      Stop error code 0x00000141, or 0x00000117 | Contact the vendor of the listed display driver to get an appropriate update for that driver. +DRIVER_IRQL_NOT_LESS_OR_EQUAL
      Stop error code 0x0000000D1 | Apply the latest updates for the driver by applying the latest cumulative updates for the system through the Microsoft Update Catalog website.Update an outdated NIC driver. Virtualized VMware systems often run “Intel(R) PRO/1000 MT Network Connection” (e1g6032e.sys). This driver is available at [http://downloadcenter.intel.com](http://downloadcenter.intel.com). Contact the hardware vendor to update the NIC driver for a resolution. For VMware systems, use the VMware integrated NIC driver (types VMXNET or VMXNET2 , VMXNET3 can be used) instead of Intel e1g6032e.sys. +PAGE_FAULT_IN_NONPAGED_AREA
      Stop error code 0x000000050 | If a driver is identified in the Stop error message, contact the manufacturer for an update.If no updates are available, disable the driver, and monitor the system for stability. Run Chkdsk /f /r to detect and repair disk errors. You must restart the system before the disk scan begins on a system partition. Contact the manufacturer for any diagnostic tools that they may provide for the hard disk subsystem. Try to reinstall any application or service that was recently installed or updated. It's possible that the crash was triggered while the system was starting applications and reading the registry for preference settings. Reinstalling the application can fix corrupted registry keys.If the problem persists, and you have run a recent system state backup, try to restore the registry hives from the backup. +SYSTEM_SERVICE_EXCEPTION
      Stop error code c000021a {Fatal System Error} The Windows SubSystem system process terminated unexpectedly with a status of 0xc0000005. The system has been shut down. | Use the System File Checker tool to repair missing or corrupted system files. The System File Checker lets users scan for corruptions in Windows system files and restore corrupted files. For more information, see [Use the System File Checker tool](https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system-files). +NTFS_FILE_SYSTEM
      Stop error code 0x000000024 | This Stop error is commonly caused by corruption in the NTFS file system or bad blocks (sectors) on the hard disk. Corrupted drivers for hard disks (SATA or IDE) can also adversely affect the system's ability to read and write to disk. Run any hardware diagnostics that are provided by the manufacturer of the storage subsystem. Use the scan disk tool to verify that there are no file system errors. To do this, right-click the drive that you want to scan, select Properties, select Tools, and then select the Check now button.We also suggest that you update the NTFS file system driver (Ntfs.sys), and apply the latest cumulative updates for the current operating system that is experiencing the problem. +KMODE_EXCEPTION_NOT_HANDLED
      Stop error code 0x0000001E | If a driver is identified in the Stop error message, disable or remove that driver. Disable or remove any drivers or services that were recently added.

      If the error occurs during the startup sequence, and the system partition is formatted by using the NTFS file system, you might be able to use Safe mode to disable the driver in Device Manager. To do this, follow these steps:

      Go to **Settings > Update & security > Recovery**. Under **Advanced startup**, select **Restart now**. After your PC restarts to the **Choose an option** screen, select **Troubleshoot > Advanced options > Startup Settings > Restart**. After the computer restarts, you'll see a list of options. Press **4** or **F4** to start the computer in Safe mode. Or, if you intend to use the Internet while in Safe mode, press **5** or **F5** for the Safe Mode with Networking option. +DPC_WATCHDOG_VIOLATION
      Stop error code 0x00000133 | This Stop error code is caused by a faulty driver that does not complete its work within the allotted time frame in certain conditions. To enable us to help mitigate this error, collect the memory dump file from the system, and then use the Windows Debugger to find the faulty driver. If a driver is identified in the Stop error message, disable the driver to isolate the problem. Check with the manufacturer for driver updates. Check the system log in Event Viewer for additional error messages that might help identify the device or driver that is causing Stop error 0x133. Verify that any new hardware that is installed is compatible with the installed version of Windows. For example, you can get information about required hardware at Windows 10 Specifications. If Windows Debugger is installed, and you have access to public symbols, you can load the c:\windows\memory.dmp file into the Debugger, and then refer to [Determining the source of Bug Check 0x133 (DPC_WATCHDOG_VIOLATION) errors on Windows Server 2012](https://blogs.msdn.microsoft.com/ntdebugging/2012/12/07/determining-the-source-of-bug-check-0x133-dpc_watchdog_violation-errors-on-windows-server-2012/) to find the problematic driver from the memory dump. +USER_MODE_HEALTH_MONITOR
      Stop error code 0x0000009E | This Stop error indicates that a user-mode health check failed in a way that prevents graceful shutdown. Therefore, Windows restores critical services by restarting or enabling application failover to other servers. The Clustering Service incorporates a detection mechanism that may detect unresponsiveness in user-mode components.
      This Stop error usually occurs in a clustered environment, and the indicated faulty driver is RHS.exe.Check the event logs for any storage failures to identify the failing process.Try to update the component or process that is indicated in the event logs. You should see the following event recorded:
      Event ID: 4870
      Source: Microsoft-Windows-FailoverClustering
      Description: User mode health monitoring has detected that the system is not being responsive. The Failover cluster virtual adapter has lost contact with the Cluster Server process with a process ID ‘%1’, for ‘%2’ seconds. Recovery action will be taken. Review the Cluster logs to identify the process and investigate which items might cause the process to hang.
      For more information, see ["Why is my Failover Clustering node blue screening with a Stop 0x0000009E?"](https://blogs.technet.microsoft.com/askcore/2009/06/12/why-is-my-failover-clustering-node-blue-screening-with-a-stop-0x0000009e) Also, see the following Microsoft video [What to do if a 9E occurs](https://www.youtube.com/watch?v=vOJQEdmdSgw). + + + +## References + +- [Bug Check Code Reference](https://docs.microsoft.com/windows-hardware/drivers/debugger/bug-check-code-reference2) diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md new file mode 100644 index 0000000000..ba947f741a --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-connectivity.md @@ -0,0 +1,109 @@ +--- +title: Troubleshoot TCP/IP connectivity +description: Learn how to troubleshoot TCP/IP connectivity. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot TCP/IP connectivity + +You might come across connectivity errors on the application end or timeout errors. Most common scenarios would include application connectivity to a database server, SQL timeout errors, BizTalk application timeout errors, Remote Desktop Protocol (RDP) failures, file share access failures, or general connectivity. + +When you suspect that the issue is on the network, you collect a network trace. The network trace would then be filtered. During troubleshooting connectivity errors, you might come across TCP reset in a network capture which could indicate a network issue. + +* TCP is defined as connection-oriented and reliable protocol. One of the ways in which TCP ensures this is through the handshake process. Establishing a TCP session would begin with a 3-way handshake, followed by data transfer, and then a 4-way closure. The 4-way closure where both sender and receiver agree on closing the session is termed as *graceful closure*. After the 4-way closure, the server will allow 4 minutes of time (default), during which any pending packets on the network are to be processed, this is the TIME_WAIT state. Once the TIME_WAIT state is done, all the resources allocated for this connection are released. + +* TCP reset is an abrupt closure of the session which causes the resources allocated to the connection to be immediately released and all other information about the connection is erased. + +* TCP reset is identified by the RESET flag in the TCP header set to `1`. + +A network trace on the source and the destination which will help you determine the flow of the traffic and see at what point the failure is observed. + +The following sections describe some of the scenarios when you will see a RESET. + +## Packet drops + +When one TCP peer is sending out TCP packets for which there is no response received from the other end, the TCP peer would end up re-transmitting the data and when there is no response received, it would end the session by sending an ACK RESET( meaning, application acknowledges whatever data exchanged so far, but due to packet drop closing the connection). + +The simultaneous network traces on source and destination will help you verify this behavior where on the source side you would see the packets being retransmitted and on the destination none of these packets are seen. This would mean, the network device between the source and destination is dropping the packets. + +If the initial TCP handshake is failing because of packet drops then you would see that the TCP SYN packet is retransmitted only 3 times. + +Source side connecting on port 445: + +![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png) + +Destination side: applying the same filter, you do not see any packets. + +![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png) + +For the rest of the data, TCP will retransmit the packets 5 times. + +**Source 192.168.1.62 side trace:** + +![Screenshot showing packet side trace](images/tcp-ts-8.png) + +**Destination 192.168.1.2 side trace:** + +You would not see any of the above packets. Engage your network team to investigate with the different hops and see if any of them are potentially causing drops in the network. + +If you are seeing that the SYN packets are reaching the destination, but the destination is still not responding, then verify if the port that you are trying to connect to is in the listening state. (Netstat output will help). If the port is listening and still there is no response, then there could be a wfp drop. + +## Incorrect parameter in the TCP header + +You see this behavior when the packets are modified in the network by middle devices and TCP on the receiving end is unable to accept the packet, such as the sequence number being modified, or packets being re-played by middle device by changing the sequence number. Again, the simultaneous network trace on the source and destination will be able to tell you if any of the TCP headers are modified. Start by comparing the source trace and destination trace, you will be able to notice if there is a change in the packets itself or if any new packets are reaching the destination on behalf of the source. + +In this case, you will again need help from the network team to identify any such device which is modifying packets or re-playing packets to the destination. The most common ones are RiverBed devices or WAN accelerators. + + +## Application side reset + +When you have identified that the resets are not due to retransmits or incorrect parameter or packets being modified with the help of network trace, then you have narrowed it down to application level reset. + +The application resets are the ones where you see the Acknowledgement flag set to `1` along with the reset flag. This would mean that the server is acknowledging the receipt of the packet but for some reason it will not accept the connection. This is when the application that received the packet did not like something it received. + +In the below screenshots, you see that the packets seen on the source and the destination are the same without any modification or any drops, but you see an explicit reset sent by the destination to the source. + +**Source Side** + +![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png) + +**On the destination-side trace** + +![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png) + +You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet. + +![Screenshot of packet flag](images/tcp-ts-11.png) + +The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. + +>[!Note] +>The above information is about resets from a TCP standpoint and not UDP. UDP is a connectionless protocol and the packets are sent unreliably. You would not see retransmission or resets when using UDP as a transport protocol. However, UDP makes use of ICMP as a error reporting protocol. When you have the UDP packet sent out on a port and the destination does not have port listed, you will see the destination sending out **ICMP Destination host unreachable: Port unreachable** message immediately after the UDP packet + + +```typescript +10.10.10.1 10.10.10.2 UDP UDP:SrcPort=49875,DstPort=3343 + +10.10.10.2 10.10.10.1 ICMP ICMP:Destination Unreachable Message, Port Unreachable,10.10.10.2:3343 +``` + + +During the course of troubleshooting connectivity issue, you might also see in the network trace that a machine receives packets but does not respond to. In such cases, there could be a drop at the server level. You should enable firewall auditing on the machine to understand if the local firewall is dropping the packet. + +```typescript +auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable +``` + +You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it. + +![Screenshot of Event Properties](images/tcp-ts-12.png) + +Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection. + +![Screenshot of wfpstate.xml file](images/tcp-ts-13.png) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md new file mode 100644 index 0000000000..a82076e8d9 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-netmon.md @@ -0,0 +1,60 @@ +--- +title: Collect data using Network Monitor +description: Learn how to run Network Monitor to collect data for troubleshooting TCP/IP connectivity. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Collect data using Network Monitor + +In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is a tool for capturing network traffic. + +To get started, [download and run NM34_x64.exe](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image. + +![A view of the properties for the adapter](images/tcp-ts-1.png) + +When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch. + +**To capture traffic** + +1. Click **Start** and enter **Netmon**. + +2. For **netmon run command**,select **Run as administrator**. + + ![Image of Start search results for Netmon](images/tcp-ts-3.png) + +3. Network Monitor opens with all network adapters displayed. Select **New Capture**, and then select **Start**. + + ![Image of the New Capture option on menu](images/tcp-ts-4.png) + +4. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire. + + ![Frame summary of network packets](images/tcp-ts-5.png) + +5. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file. + +The saved file has captured all the traffic that is flowing to and from the network adapters of this machine. However, your interest is only to look into the traffic/packets that are related to the specific connectivity problem you are facing. So you will need to filter the network capture to see only the related traffic. + +**Commonly used filters** + +- Ipv4.address=="client ip" and ipv4.address=="server ip" +- Tcp.port== +- Udp.port== +- Icmp +- Arp +- Property.tcpretranmits +- Property.tcprequestfastretransmits +- Tcp.flags.syn==1 + +>[!TIP] +>If you want to filter the capture for a specific field and do not know the syntax for that filter, just right-click that field and select **Add *the selected value* to Display Filter**. + +Network traces which are collected using the **netsh** commands built in to Windows are of the extension "ETL". However, these ETL files can be opened using Network Monitor for further analysis. + + + diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md new file mode 100644 index 0000000000..8fb6da7063 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -0,0 +1,196 @@ +--- +title: Troubleshoot port exhaustion issues +description: Learn how to troubleshoot port exhaustion issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot port exhaustion issues + +TCP and UDP protocols work based on port numbers used for establishing connection. Any application or a service that needs to establish a TCP/UDP connection will require a port on its side. + +There are two types of ports: + +- *Ephemeral ports*, which are usually dynamic ports, are the set of ports that every machine by default will have them to make an outbound connection. +- *Well-known ports* are the defined port for a particular application or service. For example, file server service is on port 445, HTTPS is 443, HTTP is 80, and RPC is 135. Custom application will also have their defined port numbers. + +Clients when connecting to an application or service will make use of an ephemeral port from its machine to connect to a well-known port defined for that application or service. A browser on a client machine will use an ephemeral port to connect to https://www.microsoft.com on port 443. + +In a scenario where the same browser is creating a lot of connections to multiple website, for any new connection that the browser is attempting, an ephemeral port is used. After some time, you will notice that the connections will start to fail and one high possibility for this would be because the browser has used all the available ports to make connections outside and any new attempt to establish a connection will fail as there are no more ports available. When all the ports are on a machine are used, we term it as *port exhaustion*. + +## Default dynamic port range for TCP/IP + +To comply with [Internet Assigned Numbers Authority (IANA)](http://www.iana.org/assignments/port-numbers) recommendations, Microsoft has increased the dynamic client port range for outgoing connections. The new default start port is **49152**, and the new default end port is **65535**. This is a change from the configuration of earlier versions of Windows that used a default port range of **1025** through **5000**. + +You can view the dynamic port range on a computer by using the following netsh commands: + +- `netsh int ipv4 show dynamicport tcp` +- `netsh int ipv4 show dynamicport udp` +- `netsh int ipv6 show dynamicport tcp` +- `netsh int ipv6 show dynamicport udp` + + +The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. + +```cmd +netsh int set dynamic start=number num=range +``` + +The start port is number, and the total number of ports is range. The following are sample commands: + +- `netsh int ipv4 set dynamicport tcp start=10000 num=1000` +- `netsh int ipv4 set dynamicport udp start=10000 num=1000` +- `netsh int ipv6 set dynamicport tcp start=10000 num=1000` +- `netsh int ipv6 set dynamicport udp start=10000 num=1000` + +These sample commands set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. To duplicate the default behavior of Windows Server 2003, use 1025 as the start port, and then use 3976 as the range for both TCP and UDP. This results in a start port of 1025 and an end port of 5000. + +Specifically, about outbound connections as incoming connections will not require an Ephemeral port for accepting connections. + +Since outbound connections start to fail, you will see a lot of the below behaviors: + +- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. + + ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png) + +- Group Policy update failures: + + ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png) + +- File shares are inaccessible: + + ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png) + +- RDP from the affected server fails: + + ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png) + +- Any other application running on the machine will start to give out errors + +Reboot of the server will resolve the issue temporarily, but you would see all the symptoms come back after a period of time. + +If you suspect that the machine is in a state of port exhaustion: + +1. Try making an outbound connection. From the server/machine, access a remote share or try an RDP to another server or telnet to a server on a port. If the outbound connection fails for all of these, go to the next step. + +2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: + + a. **Event ID 4227** + + ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png) + + b. **Event ID 4231** + + ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) + +3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. + + ![Screenshot of netstate command output](images/tcp-ts-20.png) + +After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + +You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + +>[!Note] +>Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. +> +>Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + +4. Open a command prompt in admin mode and run the below command + + ```cmd + Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl + ``` + +5. Open the server.etl file with [Network Monitor](troubleshoot-tcpip-netmon.md) and in the filter section, apply the filter **Wscore_MicrosoftWindowsWinsockAFD.AFD_EVENT_BIND.Status.LENTStatus.Code == 0x209**. You should see entries which say **STATUS_TOO_MANY_ADDRESSES**. If you do not find any entries, then the server is still not out of ports. If you find them, then you can confirm that the server is under port exhaustion. + +## Troubleshoot Port exhaustion + +The key is to identify which process or application is using all the ports. Below are some of the tools that you can use to isolate to one single process + +### Method 1 + +Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: + +```Powershell +Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending +``` + +Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. + +For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. + +### Method 2 + +If method 1 does not help you identify the process (prior to Windows 10 and Windows Server 2012 R2), then have a look at Task Manager: + +1. Add a column called “handles” under details/processes. +2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe. + + ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png) + +3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds. + +### Method 3 + +If Task Manager did not help you identify the process, then use Process Explorer to investigate the issue. + +Steps to use Process explorer: + +1. [Download Process Explorer](https://docs.microsoft.com/sysinternals/downloads/process-explorer) and run it **Elevated**. +2. Alt + click the column header, select **Choose Columns**, and on the **Process Performance** tab, add **Handle Count**. +3. Select **View \ Show Lower Pane**. +4. Select **View \ Lower Pane View \ Handles**. +5. Click the **Handles** column to sort by that value. +6. Examine the processes with higher handle counts than the rest (will likely be over 10,000 if you can't make outbound connections). +7. Click to highlight one of the processes with a high handle count. +8. In the lower pane, the handles listed as below are sockets. (Sockets are technically file handles). + + File \Device\AFD + + ![Screenshot of Process Explorer](images/tcp-ts-22.png) + +10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. + +Finally, if the above methods did not help you isolate the process, we suggest you collect a complete memory dump of the machine in the issue state. The dump will tell you which process has the maximum handles. + +As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: + +```cmd +netsh int ipv4 set dynamicport tcp start=10000 num=1000 +``` + +This will set the dynamic port range to start at port 10000 and to end at port 10999 (1000 ports). The minimum range of ports that can be set is 255. The minimum start port that can be set is 1025. The maximum end port (based on the range being configured) cannot exceed 65535. + +>[!NOTE] +>Note that increasing the dynamic port range is not a permanent solution but only temporary. You will need to track down which process/processors are consuming max number of ports and troubleshoot from that process standpoint as to why its consuming such high number of ports. + +For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. + +``` +@ECHO ON +set v=%1 +:loop +set /a v+=1 +ECHO %date% %time% >> netstat.txt +netstat -ano >> netstat.txt + +PING 1.1.1.1 -n 1 -w 60000 >NUL + +goto loop +``` + + + + +## Useful links + +- [Port Exhaustion and You!](https://blogs.technet.microsoft.com/askds/2008/10/29/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend/) - this article gives a detail on netstat states and how you can use netstat output to determine the port status + +- [Detecting ephemeral port exhaustion](https://blogs.technet.microsoft.com/clinth/2013/08/09/detecting-ephemeral-port-exhaustion/): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) + diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md new file mode 100644 index 0000000000..c747c000a8 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md @@ -0,0 +1,187 @@ +--- +title: Troubleshoot Remote Procedure Call (RPC) errors +description: Learn how to troubleshoot Remote Procedure Call (RPC) errors +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Troubleshoot Remote Procedure Call (RPC) errors + +You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error. + +![The following error has occurred: the RPC server is unavailable](images/rpc-error.png) + +This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. + +Before getting in to troubleshooting the **RPC server unavailable*- error, let’s first understand basics about the error. There are a few important terms to understand: + +- Endpoint mapper – a service listening on the server, which guides client apps to server apps by port and UUID. +- Tower – describes the RPC protocol, to allow the client and server to negotiate a connection. +- Floor – the contents of a tower with specific data like ports, IP addresses, and identifiers. +- UUID – a well-known GUID that identifies the RPC application. The UUID is what you use to see a specific kind of RPC application conversation, as there are likely to be many. +- Opnum – the identifier of a function that the client wants the server to execute. It’s just a hexadecimal number, but a good network analyzer will translate the function for you. If neither knows, your application vendor must tell you. +- Port – the communication endpoints for the client and server applications. +- Stub data – the information given to functions and data exchanged between the client and server. This is the payload, the important part. + +>[!Note] +> A lot of the above information is used in troubleshooting, the most important is the Dynamic RPC port number you get while talking to EPM. + +## How the connection works + +Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake. + +![Diagram illustrating connection to remote server](images/rpc-flow.png) + +RPC ports can be given from a specific range as well. +### Configure RPC dynamic port allocation + +Remote Procedure Call (RPC) dynamic port allocation is used by server applications and remote administration applications such as Dynamic Host Configuration Protocol (DHCP) Manager, Windows Internet Name Service (WINS) Manager, and so on. RPC dynamic port allocation will instruct the RPC program to use a particular random port in the range configured for TCP and UDP, based on the implementation of the operating system used. + +Customers using firewalls may want to control which ports RPC is using so that their firewall router can be configured to forward only these Transmission Control Protocol (UDP and TCP) ports. Many RPC servers in Windows let you specify the server port in custom configuration items such as registry entries. When you can specify a dedicated server port, you know what traffic flows between the hosts across the firewall, and you can define what traffic is allowed in a more directed manner. + +As a server port, please choose a port outside of the range you may want to specify below. You can find a comprehensive list of server ports that are used in Windows and major Microsoft products in the article [Service overview and network port requirements for Windows](https://support.microsoft.com/help/832017). +The article also lists the RPC servers and which RPC servers can be configured to use custom server ports beyond the facilities the RPC runtime offers. + +Some firewalls also allow for UUID filtering where it learns from a RPC Endpoint Mapper request for a RPC interface UUID. The response has the server port number, and a subsequent RPC Bind on this port is then allowed to pass. + +With Registry Editor, you can modify the following parameters for RPC. The RPC Port key values discussed below are all located in the following key in the registry: + +**HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet\ Entry name Data Type** + +**Ports REG_MULTI_SZ** + +- Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by **5984**, and a set of ports may be represented by **5000-5100**. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid. + +**PortsInternetAvailable REG_SZ Y or N (not case-sensitive)** + +- If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available. + +**UseInternetPorts REG_SZ ) Y or N (not case-sensitive)** + +- Specifies the system default policy. +- If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously. +- If N, the processes using the default will be assigned ports from the set of intranet-only ports. + +**Example:** + +In this example ports 5000 through 6000 inclusive have been arbitrarily selected to help illustrate how the new registry key can be configured. This is not a recommendation of a minimum number of ports needed for any particular system. + +1. Add the Internet key under: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc + +2. Under the Internet key, add the values "Ports" (MULTI_SZ), "PortsInternetAvailable" (REG_SZ), and "UseInternetPorts" (REG_SZ). + + For example, the new registry key appears as follows: + Ports: REG_MULTI_SZ: 5000-6000 + PortsInternetAvailable: REG_SZ: Y + UseInternetPorts: REG_SZ: Y + +3. Restart the server. All applications that use RPC dynamic port allocation use ports 5000 through 6000, inclusive. + +You should open up a range of ports above port 5000. Port numbers below 5000 may already be in use by other applications and could cause conflicts with your DCOM application(s). Furthermore, previous experience shows that a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other. + +>[!Note] +>The minimum number of ports required may differ from computer to computer. Computers with higher traffic may run into a port exhaustion situation if the RPC dynamic ports are restricted. Take this into consideration when restricting the port range. + +>[!WARNING] +>If there is an error in the port configuration or there are insufficient ports in the pool, the Endpoint Mapper Service will not be able to register RPC servers with dynamic endpoints. When there is a configuration error, the error code will be 87 (0x57) ERROR_INVALID_PARAMETER. This can affect Windows RPC servers as well, such as Netlogon. It will log event 5820 in this case: +> +>Log Name: System +>Source: NETLOGON +>Event ID: 5820 +>Level: Error +>Keywords: Classic +>Description: +>The Netlogon service could not add the AuthZ RPC interface. The service was terminated. The following error occurred: 'The parameter is incorrect.' + +If you would like to do a deep dive as to how it works, see [RPC over IT/Pro](https://blogs.technet.microsoft.com/askds/2012/01/24/rpc-over-itpro/). + + +## Troubleshooting RPC error + +### PortQuery + +The best thing to always troubleshoot RPC issues before even getting in to traces is by making use of tools like **PortQry**. You can quickly determine if you are able to make a connection by running the command: + +```cmd +Portqry.exe -n -e 135 +``` + +This would give you a lot of output to look for, but you should be looking for **ip_tcp*- and the port number in the brackets, which tells whether you were successfully able to get a dynamic port from EPM and also make a connection to it. If the above fails, you can typically start collecting simultaneous network traces. Something like this from the output of “PortQry”: + +```cmd +Portqry.exe -n 169.254.0.2 -e 135 +``` +Partial output below: + +>Querying target system called: +>169.254.0.2 +>Attempting to resolve IP address to a name... +>IP address resolved to RPCServer.contoso.com +>querying... +>TCP port 135 (epmap service): LISTENING +>Using ephemeral source port +>Querying Endpoint Mapper Database... +>Server's response: +>UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d +>ncacn_ip_tcp:169.254.0.10**[49664]** + + +The one in bold is the ephemeral port number that you made a connection to successfully. + +### Netsh + +You can run the commands below to leverage Windows inbuilt netsh captures, to collect a simultaneous trace. Remember to execute the below on an “Admin CMD”, it requires elevation. + +- On the client +```cmd +Netsh trace start scenario=netconnection capture=yes tracefile=c:\client_nettrace.etl maxsize=512 overwrite=yes report=yes +``` + +- On the Server +```cmd +Netsh trace start scenario=netconnection capture=yes tracefile=c:\server_nettrace.etl maxsize=512 overwrite=yes report=yes +``` + +Now try to reproduce your issue from the client machine and as soon as you feel the issue has been reproduced, go ahead and stop the traces using the command +```cmd +Netsh trace stop +``` + +Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md) or Message Analyzer and filter the trace for + +- Ipv4.address== and ipv4.address== and tcp.port==135 or just tcp.port==135 should help. + +- Look for the “EPM” Protocol Under the “Protocol” column. + +- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use. + + ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png) + +- Check if we are connecting successfully to this Dynamic port successfully. + +- The filter should be something like this: tcp.port== and ipv4.address== + + ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png) + +This should help you verify the connectivity and isolate if any network issues are seen. + + +### Port not reachable + +The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port. + +![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png) + +The port cannot be reachable due to one of the following reasons: + +- The dynamic port range is blocked on the firewall in the environment. +- A middle device is dropping the packets. +- The destination server is dropping the packets (WFP drop / NIC drop/ Filter driver etc). + + + diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md new file mode 100644 index 0000000000..f758b36a67 --- /dev/null +++ b/windows/client-management/troubleshoot-tcpip.md @@ -0,0 +1,20 @@ +--- +title: Advanced troubleshooting for TCP/IP issues +description: Learn how to troubleshoot TCP/IP issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 12/06/2018 +--- + +# Advanced troubleshooting for TCP/IP issues + +In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment. + +- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md) +- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md) +- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md) +- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md) \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md new file mode 100644 index 0000000000..47104b0b78 --- /dev/null +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -0,0 +1,287 @@ +--- +title: Advanced troubleshooting for Windows-based computer freeze issues +description: Learn how to troubleshoot computer freeze issues. +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: 11/26/2018 +--- + +# Advanced troubleshooting for Windows-based computer freeze issues + +This article describes how to troubleshoot freeze issues on Windows-based computers and servers. It also provides methods for collecting data that will help administrators or software developers diagnose, identify, and fix these issues. + +> [!Note] +> The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. + +## Identify the problem + +* Which computer is freezing? (Example: The impacted computer is a physical server, virtual server, and so on.) +* What operation was being performed when the freezes occurred? (Example: This issue occurs when you shut down GUI, perform one or more operations, and so on.) +* How often do the errors occur? (Example: This issue occurs every night at 7 PM, every day around 7 AM, and so on.) +* On how many computers does this occur? (Example: All computers, only one computer, 10 computers, and so on.) + +## Troubleshoot the freeze issues + +To troubleshoot the freeze issues, check the current status of your computer, and follow one of the following methods. + +### For the computer that's still running in a frozen state + +If the physical computer or the virtual machine is still freezing, use one or more of the following methods for troubleshooting: + +* Try to access the computer through Remote Desktop, Citrix, and so on. +* Use the domain account or local administrator account to log on the computer by using one of the Remote Physical Console Access features, such as Dell Remote Access Card (DRAC), HP Integrated Lights-Out (iLo), or IBM Remote supervisor adapter (RSA). +* Test ping to the computer. Packet dropping and high network latency may be observed. +* Access administrative shares (\\\\**ServerName**\\c$). +* Press Ctrl + Alt + Delete command and check response. +* Try to use Remote Admin tools such as Computer Management, remote Server Manager, and Wmimgmt.msc. + +### For the computer that is no longer frozen + +If the physical computer or virtual machine froze but is now running in a good state, use one or more of the following methods for troubleshooting. + +#### For a physical computer + +* Review the System and Application logs from the computer that is having the issue. Check the event logs for the relevant Event ID: + + - Application event log : Application Error (suggesting Crash or relevant System Process) + - System Event logs, Service Control Manager Error event IDs for Critical System Services + - Error Event IDs 2019/2020 with source Srv/Server + +* Generate a System Diagnostics report by running the perfmon /report command. + +#### For a virtual machine + +* Review the System and Application logs from the computer that is having the issue. +* Generate a System Diagnostics report by running the perfmon /report command. +* Check history in virtual management monitoring tools. + +## More Information + +### Collect data for the freeze issues + +To collect data for a server freeze, check the following table, and use one or more of the suggested methods. + +|Computer type and state |Data collection method | +|-------------------------|--------------------| +|A physical computer that's running in a frozen state|[Use a memory dump file to collect data](#use-memory-dump-to-collect-data-for-the-physical-computer-thats-running-in-a-frozen-state). Or use method 2, 3, or 4. These methods are listed later in this section.| +|A physical computer that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section. And [use Pool Monitor to collect data](#use-pool-monitor-to-collect-data-for-the-physical-computer-that-is-no-longer-frozen).| +|A virtual machine that's running in a frozen state|Hyper-V or VMware: [Use a memory dump file to collect data for the virtual machine that's running in a frozen state](#use-memory-dump-to-collect-data-for-the-virtual-machine-thats-running-in-a-frozen-state).
      XenServer: Use method 1, 2, 3, or 4. These methods are listed later in this section.| +|A virtual machine that is no longer frozen|Use method 1, 2, 3, or 4. These methods are listed later in this section.| + + +#### Method 1: Memory dump + +> [!Note] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +A complete memory dump file records all the contents of system memory when the computer stops unexpectedly. A complete memory dump file may contain data from processes that were running when the memory dump file was collected. + +If the computer is no longer frozen and now is running in a good state, use the following steps to enable memory dump so that you can collect memory dump when the freeze issue occurs again. If the virtual machine is still running in a frozen state, use the following steps to enable and collect memory dump. + +> [!Note] +> If you have a restart feature that is enabled on the computer, such as the Automatic System Restart (ASR) feature in Compaq computers, disable it. This setting is usually found in the BIOS. With this feature enabled, if the BIOS doesn't detect a heartbeat from the operating system, it will restart the computer. The restart can interrupt the dump process. + + +1. Make sure that the computer is set up to get a complete memory dump file. To do this, follow these steps: + + 1. Go to **Run** and enter `Sysdm.cpl`, and then press enter. + + 2. In **System Properties**, on the **Advanced** tab, select **Performance** \> **Settings** \> **Advanced**, and then check or change the virtual memory by clicking **Change**. + + 2. Go back to **System Properties** \> **Advanced** \> **Settings** in **Startup and Recovery**. + + 3. In the **Write Debugging Information** section, select **Complete Memory Dump**. + + > [!Note] + > For Windows versions that are earlier than Windows 8 or Windows Server 2012, the Complete Memory Dump type isn't available in the GUI. You have to change it in Registry Editor. To do this, change the value of the following **CrashDumpEnabled** registry entry to **1** (REG_DWORD): + >**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled** + + 4. Select **Overwrite any existing file**. + + 5. Make sure that there's a paging file (pagefile.sys) on the system drive and that it’s at least 100 megabytes (MB) over the installed RAM (Initial and Maximum Size). + + Additionally, you can use the workaround for [space limitations on the system drive in Windows Server 2008](#space-limitations-on-the-system-drive-in-windows-server-2008). + + 6. Make sure that there's more freed-up space on the hard disk drives than there is physical RAM. + +2. Enable the CrashOnCtrlScroll registry value to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: + + 1. Go to Registry Editor, and then locate the following registry keys: + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + + - **Value Name**: `CrashOnCtrlScroll` + - **Data Type**: `REG_DWORD` + - **Value**: `1` + + 3. Exit Registry Editor. + + 4. Restart the computer. + +3. On some physical computers, you may generate a nonmakeable interruption (NMI) from the Web Interface feature (such as DRAC, iLo, and RSA). However, by default, this setting will stop the system without creating a memory dump. + + To allow the operating system to generate a memory dump file at an NMI interruption, set the value of the [NMICrashDump](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc783271(v=ws.10)) registry entry to `1` (REG_DWORD). Then, restart the computer to apply this change. + + > [!Note] + > This is applicable only for Windows 7, Windows Server 2008 R2, and earlier versions of Windows. For Windows 8 Windows Server 2012, and later versions of Windows, the NMICrashDump registry key is no longer required, and an NMI interruption will result in [a Stop error that follows a memory dump data collection](https://support.microsoft.com/help/2750146). + +4. When the computer exhibits the problem, hold down the right **Ctrl** key, and press the **Scroll Lock** key two times to generate a memory dump file. + + > [!Note] + > By default, the dump file is located in the following path:
      + > %SystemRoot%\MEMORY.DMP + + +#### Method 2: Data sanity check + +Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. + +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) + +Learn how to use Dumpchk.exe to check your dump files: + +> [!video https://www.youtube-nocookie.com/embed/xN7tOfgNKag] + + +#### Method 3: Performance Monitor + +You can use Windows Performance Monitor to examine how programs that you run affect your computer's performance, both in real time and by collecting log data for later analysis. To create performance counter and event trace log collections on local and remote systems, run the following commands in a command prompt as administrator: + +```cmd +Logman create counter LOGNAME_Long -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:05:00 +``` + +```cmd +Logman create counter LOGNAME_Short -u DOMAIN\USERNAME * -f bincirc -v mmddhhmm -max 500 -c "\\COMPUTERNAME\LogicalDisk(*)\*" "\\COMPUTERNAME\Memory\*" "\\COMPUTERNAME\Network Interface(*)\*" "\\COMPUTERNAME\Paging File(*)\*" "\\COMPUTERNAME\PhysicalDisk(*)\*" "\\COMPUTERNAME\Process(*)\*" "\\COMPUTERNAME\Redirector\*" "\\COMPUTERNAME\Server\*" "\\COMPUTERNAME\System\*" "\\COMPUTERNAME\Terminal Services\*" "\\COMPUTERNAME\Processor(*)\*" "\\COMPUTERNAME\Cache\*" -si 00:00:10 +``` + +Then, you can start or stop the log by running the following commands: + +```cmd +logman start LOGNAME_Long / LOGNAME_Short +logman stop LOGNAME_Long / LOGNAME_Short +``` + +The Performance Monitor log is located in the path: C:\PERFLOGS + +#### Method 4: Microsoft Support Diagnostics + +1. In the search box of the [Microsoft Support Diagnostics Self-Help Portal](https://home.diagnostics.support.microsoft.com/selfhelp), type Windows Performance Diagnostic. + +2. In the search results, select **Windows Performance Diagnostic**, and then click **Create**. + +3. Follow the steps of the diagnostic. + + +### Additional methods to collect data + +#### Use memory dump to collect data for the physical computer that's running in a frozen state + +> [!Warning] +> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. + +If the physical computer is still running in a frozen state, follow these steps to enable and collect memory dump: + + +1. Make sure that the computer is set up to get a complete memory dump file and that you can access it through the network. To do this, follow these steps: + > [!Note] + > If it isn't possible to access the affected computer through the network, try to generate a memory dump file through NMI interruption. The result of the action may not collect a memory dump file if some of the following settings aren't qualified. + + 1. Try to access the desktop of the computer by any means. + + > [!Note] + > In case accessing the operating system isn't possible, try to access Registry Editor on the computer remotely in order to check the type of memory dump file and page file with which the computer is currently configured. + + 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: + + * ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` + + Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\NMICrashDump` + + On some physical servers, if the NMICrashDump registry entry exists and its value is `1`, you may take advantage of the NMI from the remote management capabilities (such as DRAC, iLo, and RSA). + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles and ExistingPageFiles` + + If the value of the **Pagefile** registry entry is system managed, the size won't be reflected in the registry (Example value: ?:\pagefile.sys). + + If the page file is customized, the size will be reflected in the registry, such as ‘?:\pagefile.sys 1024 1124’ where 1024 is the initial size and 1124 is the max size. + + > [!Note] + > If the size isn't reflected in the Registry, try to access an Administrative share where the page file is located (such as \\\\**ServerName**\C$). + + 3. Make sure that there's a paging file (pagefile.sys) on the system drive of the computer, and it's at least 100 MB over the installed RAM. + + 4. Make sure that there's more free space on the hard disk drives of the computer than there is physical RAM. + +2. Enable the **CrashOnCtrlScroll** registry value on the computer to allow the system to generate a dump file by using the keyboard. To do this, follow these steps: + + 1. From a remote computer preferably in the same network and subnet, go to Registry Editor \> Connect Network Registry. Connect to the concerned computer and locate the following registry keys: + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt\Parameters` + + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kbdhid\Parameters` + + 2. Create the following CrashOnCtrlScroll registry entry in the two registry keys: + + **Value Name**: `CrashOnCtrlScroll` + **Data Type**: `REG_DWORD` + **Value**: `1` + + 3. Exit Registry Editor. + + 4. Restart the computer. + +3. When the computer exhibits the problem, hold down the right **CTRL** key, and press the **Scroll Lock** key two times to generate a memory dump. + > [!Note] + > By default, the dump file is located in the path: %SystemRoot%\MEMORY.DMP + +#### Use Pool Monitor to collect data for the physical computer that is no longer frozen + +Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag. + +Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). + +#### Use memory dump to collect data for the virtual machine that's running in a frozen state + +Use the one of the following methods for the application on which the virtual machine is running. + +##### Microsoft Hyper-V + +If the virtual machine is running Windows 8, Windows Server 2012, or a later version of Windows on Microsoft Hyper-V Server 2012, you can use the built-in NMI feature through a [Debug-VM](https://docs.microsoft.com/previous-versions/windows/powershell-scripting/dn464280(v=wps.630)) cmdlet to debug and get a memory dump. + +To debug the virtual machines on Hyper-V, run the following cmdlet in Windows PowerShell: + +```powershell +Debug-VM -Name "VM Name" -InjectNonMaskableInterrupt -ComputerName Hostname +``` + +> [!Note] +> This method is applicable only to Windows 8, Windows Server 2012, and later versions of Windows virtual machines. For the earlier versions of Windows, see methods 1 through 4 that are described earlier in this section. + +##### VMware + +You can use VMware Snapshots or suspend state and extract a memory dump file equivalent to a complete memory dump file. By using [Checkpoint To Core Tool (vmss2core)](https://labs.vmware.com/flings/vmss2core), you can convert both suspend (.vmss) and snapshot (.vmsn) state files to a dump file and then analyze the file by using the standard Windows debugging tools. + +##### Citrix XenServer + +The memory dump process occurs by pressing the RIGHT CTRL + SCROLL LOCK + SCROLL LOCK keyboard combination that's described in Method 1 and on [the Citrix site](http://support.citrix.com/article/ctx123177). + +## Space limitations on the system drive in Windows Server 2008 + +On Windows Server 2008, you may not have enough free disk space to generate a complete memory dump file on the system volume. There's a [hotfix](https://support.microsoft.com/help/957517) that allows for the data collection even though there isn't sufficient space on the system drive to store the memory dump file. + +Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028). + +For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx). \ No newline at end of file diff --git a/windows/client-management/troubleshoot-windows-startup.md b/windows/client-management/troubleshoot-windows-startup.md new file mode 100644 index 0000000000..47d03fef10 --- /dev/null +++ b/windows/client-management/troubleshoot-windows-startup.md @@ -0,0 +1,19 @@ +--- +title: Advanced troubleshooting for Windows start-up issues +description: Learn how to troubleshoot Windows start-up issues. +ms.prod: w10 +ms.sitesec: library +ms.topic: troubleshooting +author: kaushika-msft +ms.localizationpriority: medium +ms.author: kaushika +ms.date: +--- + +# Advanced troubleshooting for Windows start-up issues + +In these topics, you will learn how to troubleshoot common problems related to Windows start-up. + +- [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md) +- [Advanced troubleshooting for Stop error or blue screen error](troubleshoot-stop-errors.md) +- [Advanced troubleshooting for Windows-based computer freeze issues](troubleshoot-windows-freeze.md) diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 4349340530..95e731061d 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -176,18 +176,18 @@ IT can block the addition of a personal identity, such as an MSA or Google Accou *Applies to: Corporate and personal devices* -For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/en-us/library/mt627908.aspx). +For both personal and corporate deployment scenarios, an MDM system is the essential infrastructure required to deploy and manage Windows 10 Mobile devices. An Azure AD premium subscription is recommended as an identity provider and required to support certain capabilities. Windows 10 Mobile allows you to have a pure cloud-based infrastructure or a hybrid infrastructure that combines Azure AD identity management with an on-premises management system to manage devices. Microsoft now also supports a pure on-premises solution to manage Windows 10 Mobile devices with [Configuration Manager](https://technet.microsoft.com/library/mt627908.aspx). **Azure Active Directory** -Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/en-us/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. +Azure AD is a cloud-based directory service that provides identity and access management. You can integrate it with existing on-premises directories to create a hybrid identity solution. Organizations that use Microsoft Office 365 or Intune are already using Azure AD, which has three editions: Free Basic, and Premium (see [Azure Active Directory editions](https://azure.microsoft.com/documentation/articles/active-directory-editions/)). All editions support Azure AD device registration, but the Premium edition is required to enable MDM auto-enrollment and conditional access based on device state. **Mobile Device Management** Microsoft [Intune](https://www.microsoft.com/en-us/server-cloud/products/microsoft-intune/overview.aspx), part of the Enterprise Mobility + Security, is a cloud-based MDM system that manages devices off premises. Like Office 365, Intune uses Azure AD for identity management so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution. -You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/en-us/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager. -Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/en-us/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account. +You can also integrate Intune with Configuration Manager to gain a single console for managing all devices in the cloud and on premises, mobile or PC. For more information, see [Manage Mobile Devices with Configuration Manager and Microsoft Intune](https://technet.microsoft.com/library/jj884158.aspx). For guidance on choosing between a stand-alone Intune installation and Intune integrated with System Center Configuration Manager, see Choose between Intune by itself or integrating Intune with System Center Configuration Manager. +Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Mobile currently include: AirWatch, Citrix, MobileIron, SOTI, Blackberry and others. Most industry-leading MDM vendors already support integration with Azure AD. You can find the MDM vendors that support Azure AD in [Azure Marketplace](https://azure.microsoft.com/marketplace/). If your organization doesn’t use Azure AD, the user must use an MSA during OOBE before enrolling the device in your MDM using a corporate account. >**Note:** Although not covered in this guide, you can use Exchange ActiveSync (EAS) to manage mobile devices instead of using a full-featured MDM system. EAS is available in Microsoft Exchange Server 2010 or later and Office 365. -In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](https://technet.microsoft.com/en-us/library/ms.o365.cc.devicepolicy.aspx). +In addition, Microsoft recently added MDM capabilities powered by Intune to Office 365. MDM for Office 365 supports mobile devices only, such as those running Windows 10 Mobile, iOS, and Android. MDM for Office 365 offers a subset of the management capabilities found in Intune, including the ability to remotely wipe a device, block a device from accessing Exchange Server email, and configure device policies (e.g., passcode requirements). For more information about MDM for Office 365 capabilities, see [Overview of Mobile Device Management for Office 365](https://technet.microsoft.com/library/ms.o365.cc.devicepolicy.aspx). **Cloud services** On mobile devices that run Windows 10 Mobile, users can easily connect to cloud services that provide user notifications and collect diagnostic and usage data. Windows 10 Mobile enables organizations to manage how devices consume these cloud services. @@ -210,7 +210,7 @@ The Microsoft Store for Business is the place where IT administrators can find, MDM administrators can define and implement policy settings on any personal or corporate device enrolled in an MDM system. What configuration settings you use will differ based on the deployment scenario, and corporate devices will offer IT the broadest range of control. >**Note:** This guide helps IT professionals understand management options available for the Windows 10 Mobile OS. Please consult your MDM system documentation to understand how these policies are enabled by your MDM vendor. -Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. +Not all MDM systems support every setting described in this guide. Some support custom policies through OMA-URI XML files. See [Microsoft Intune support for Custom Policies](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune#custom-uri-settings-for-windows-10-devices). Naming conventions may also vary among MDM vendors. ### Account profile @@ -227,8 +227,8 @@ Enforcing what accounts employees can use on a corporate device is important for Email and associated calendar and contacts are the primary apps that users access on their smartphones. Configuring them properly is key to the success of any mobility program. In both corporate and personal device deployment scenarios, these email account settings get deployed immediately after enrollment. Using your corporate MDM system, you can define corporate email account profiles, deploy them to devices, and manage inbox policies. -- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [ActiveSync CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920017(v=vs.85).aspx). -- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile. +- Most corporate email systems leverage **Exchange ActiveSync (EAS)**. For more details on configuring EAS email profiles, see the [ActiveSync CSP](https://msdn.microsoft.com/library/windows/hardware/dn920017(v=vs.85).aspx). +- **Simple Mail Transfer Protocol (SMTP)** email accounts can also be configured with your MDM system. For more detailed information on SMTP email profile configuration, see the [Email CSP](https://msdn.microsoft.com/library/windows/hardware/dn904953(v=vs.85).aspx). Microsoft Intune does not currently support the creation of an SMTP email profile. ### Device Lock restrictions @@ -257,7 +257,7 @@ Most of the device lock restriction policies have been available via ActiveSync Settings related to Windows Hello would be important device lock settings to configure if you are deploying devices using the corporate deployment scenario. Microsoft made it a requirement for all users to create a numeric passcode as part of Azure AD Join. This policy default requires users to select a four-digit passcode, but this can be configured with an AAD-registered MDM system to whatever passcode complexity your organization desires. If you are using Azure AD with an automatic MDM enrollment mechanism, these policy settings are automatically applied during device enrollment. -You will notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies will be applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. +You will notice that some of the settings are very similar, specifically those related to passcode length, history, expiration, and complexity. If you set the policy in multiple places, both policies will be applied, with the strongest policy retained. Read [PassportForWork CSP](https://msdn.microsoft.com/library/windows/hardware/dn987099(v=vs.85).aspx), [DeviceLock CSP](https://msdn.microsoft.com/library/windows/hardware/dn904945(v=vs.85).aspx) (Windows Phone 8.1), and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#DeviceLock_AllowIdleReturnWithoutPassword) for more detailed information. ### Prevent changing of settings @@ -303,7 +303,7 @@ Certificates help improve security by providing account authentication, Wi Fi au To install certificates manually, you can post them on Microsoft Edge website or send them directly via email, which is ideal for testing purposes. Using SCEP and MDM systems, certificate management is completely transparent and requires no user intervention, helping improve user productivity, and reduce support calls. Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll the device (as long as the MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Personal Information Exchange (PFX)). The MDM server can also query and delete SCEP enrolled client certificate (including user installed certificates), or trigger a new enrollment request before the current certificate is expired. In addition to SCEP certificate management, Windows 10 Mobile supports deployment of PFX certificates. The table below lists the Windows 10 Mobile PFX certificate deployment settings. -Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile). +Get more detailed information about MDM certificate management in the [Client Certificate Install CSP](https://msdn.microsoft.com/library/windows/hardware/dn920023(v=vs.85).aspx) and [Install digital certificates on Windows 10 Mobile](/windows/access-protection/installing-digital-certificates-on-windows-10-mobile). Use the Allow Manual Root Certificate Installation setting to prevent users from manually installing root and intermediate CA certificates intentionally or accidently. >**Note:** To diagnose certificate-related issues on Windows 10 Mobile devices, use the free Certificates app in Microsoft Store. This Windows 10 Mobile app can help you: @@ -349,7 +349,7 @@ In addition, you can set a few device wide Wi-Fi settings. - **Allow Internet Sharing** Allow or disallow Internet sharing - **WLAN Scan Mode** How actively the device scans for Wi-Fi networks -Get more detailed information about Wi-Fi connection profile settings in the [Wi-Fi CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx). +Get more detailed information about Wi-Fi connection profile settings in the [Wi-Fi CSP](https://msdn.microsoft.com/library/windows/hardware/dn904981(v=vs.85).aspx) and [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx). ### APN profiles @@ -381,7 +381,7 @@ You can define and deploy APN profiles in MDM systems that configure cellular da - **Allow user control** Allows users to connect with other APNs than the enterprise APN - **Hide view** Whether the cellular UX will allow the user to view enterprise APNs -Get more detailed information about APN settings in the [APN CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn958617(v=vs.85).aspx). +Get more detailed information about APN settings in the [APN CSP](https://msdn.microsoft.com/library/windows/hardware/dn958617(v=vs.85).aspx). ### Proxy @@ -399,7 +399,7 @@ The below lists the Windows 10 Mobile settings for managing APN proxy settings f - **Proxy connection type** The proxy connection type, supporting: Null proxy, HTTP, WAP, SOCKS4 - **Port** The port number of the proxy connection -For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914762(v=vs.85).aspx). +For more details on proxy settings, see [CM_ProxyEntries CSP](https://msdn.microsoft.com/library/windows/hardware/dn914762(v=vs.85).aspx). ### VPN @@ -449,7 +449,7 @@ In addition, you can specify per VPN Profile: - No other VPN profiles can be connected or modified. - **ProfileXML** In case your MDM system does not support all the VPN settings you want to configure, you can create an XML file that defines the VPN profile you want to apply to all the fields you require. -For more details about VPN profiles, see the [VPNv2 CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776(v=vs.85).aspx) +For more details about VPN profiles, see the [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776(v=vs.85).aspx) Some device-wide settings for managing VPN connections can help you manage VPNs over cellular data connections, which in turn helps reduce costs associated with roaming or data plan charges. - **Allow VPN** Whether users can change VPN settings @@ -495,7 +495,7 @@ For compatibility with existing apps, Windows Phone 8.1 apps still run on Window Microsoft also made it easier for organizations to license and purchase UWP apps via Microsoft Store for Business and deploy them to employee devices using the Microsoft Store, or an MDM system, that can be integrated with the Microsoft Store for Business. Putting apps into the hands of mobile workers is critical, but you also need an efficient way to ensure those apps comply with corporate policies for data security. -To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/en-us/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/en-us/windows/uwp/porting/index). +To learn more about Universal Windows apps, see the [Guide to Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/library/windows/apps/dn894631.aspx) for additional information, or take this [Quick Start Challenge: Universal Windows Apps in Visual Studio](https://mva.microsoft.com/en-US/training-courses/quick-start-challenge-universal-windows-apps-in-visual-studio-14477?l=Be2FMfgmB_505192797). Also, see [Porting apps to Windows 10](https://msdn.microsoft.com/windows/uwp/porting/index). ### Microsoft Store for Business: Sourcing the right app @@ -532,7 +532,7 @@ IT administrators can control which apps are allowed to be installed on Windows Windows 10 Mobile includes AppLocker, which enables administrators to create allow or disallow (sometimes also called whitelist/blacklist) lists of apps from the Microsoft Store. This capability extends to built-in apps, as well, such as Xbox, Groove, text messaging, email, and calendar, etc. The ability to allow or deny apps helps to ensure that people use their mobile devices for their intended purposes. However, it is not always an easy approach to find a balance between what employees need or request and security concerns. Creating allow or disallow lists also requires keeping up with the changing app landscape in the Microsoft Store. -For more details, see [AppLocker CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn920019(v=vs.85).aspx). +For more details, see [AppLocker CSP](https://msdn.microsoft.com/library/windows/hardware/dn920019(v=vs.85).aspx). In addition to controlling which apps are allowed, IT professionals can also implement additional app management settings on Windows 10 Mobile, using an MDM. @@ -546,9 +546,9 @@ In addition to controlling which apps are allowed, IT professionals can also imp - **Require Private Store Only** Whether the private store is exclusively available to users in the Store app on the device. If enabled, only the private store is available. If disabled, the retail catalog and private store are both available. - **Restrict App Data to System Volume** Whether app data is allowed only on the system drive or can be stored on an SD card. - **Restrict App to System Volume** Whether app installation is allowed only to the system drive or can be installed on an SD card. -- **Start screen layout** An XML blob used to configure the Start screen (see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/en-us/library/windows/hardware/mt171093(v=vs.85).aspx) for more information). +- **Start screen layout** An XML blob used to configure the Start screen (see [Start layout for Windows 10 Mobile](https://msdn.microsoft.com/library/windows/hardware/mt171093(v=vs.85).aspx) for more information). -Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps) +Find more details on application management options in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#ApplicationManagement_AllowAllTrustedApps) ### Data leak prevention @@ -592,7 +592,7 @@ The following table lists the settings that can be configured for Windows Inform >**Note:** * Are mandatory Windows Information Protection policies. To make Windows Information Protection functional, AppLocker and network isolation settings - specifically Enterprise IP Range and Enterprise Network Domain Names – must be configured. This defines the source of all corporate data that needs protection and also ensures data written to these locations won’t be encrypted by the user’s encryption key (so that others in the company can access it. -For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). +For more information on Windows Information Protection, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634(v=vs.85).aspx) and the following in-depth article series [Protect your enterprise data using Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). ### Managing user activities @@ -734,7 +734,7 @@ Microsoft aspires to update Windows 10 Mobile devices with the latest updates au *Applies to: Corporate and Personal devices* -Microsoft publishes new feature updates for Windows 10 and Windows 10 Mobile on a regular basis. The [Windows release information page](https://technet.microsoft.com/en-us/windows/release-info) is designed to help you determine if your devices are current with the latest Windows 10 feature and quality updates. The release information published on this page, covers both Windows 10 for PCs and Windows 10 Mobile. In addition, the [Windows update history page](https://windows.microsoft.com/en-us/windows-10/update-history-windows-10) helps you understand what these updates are about. +Microsoft publishes new feature updates for Windows 10 and Windows 10 Mobile on a regular basis. The [Windows release information page](https://technet.microsoft.com/windows/release-info) is designed to help you determine if your devices are current with the latest Windows 10 feature and quality updates. The release information published on this page, covers both Windows 10 for PCs and Windows 10 Mobile. In addition, the [Windows update history page](https://windows.microsoft.com/en-us/windows-10/update-history-windows-10) helps you understand what these updates are about. >**Note:** We invite IT Professionals to participate in the Windows Insider Program to test updates before they are officially released to make Windows 10 Mobile even better. If you find any issues, please send us feedback via the Feedback Hub @@ -802,7 +802,7 @@ To learn more about diagnostic, see [Configure Windows diagnostic data in your o To activate Windows 10 Mobile Enterprise, use your MDM system or a provisioning package to inject the Windows 10 Enterprise license on a Windows 10 Mobile device. Licenses can be obtained from the Volume Licensing portal. For testing purposes, you can obtain a licensing file from the MSDN download center. A valid MSDN subscription is required. -Details on updating a device to Enterprise edition with [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904983(v=vs.85).aspx) +Details on updating a device to Enterprise edition with [WindowsLicensing CSP](https://msdn.microsoft.com/library/windows/hardware/dn904983(v=vs.85).aspx) >**Recommendation:** Microsoft recommends using Enterprise edition only on corporate devices. Once a device has been upgraded, it cannot be downgraded. Even a device wipe or reset will not remove the enterprise license from personal devices. @@ -881,7 +881,7 @@ Pause Feature Updates for up to 35 days *Applies to: Corporate devices with Enterprise edition* -Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. +Set update client experience with [Allowautomaticupdate](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_AllowAutoUpdate) policy for your employees. This allows the IT Pro to influence the way the update client on the devices behaves when scanning, downloading, and installing updates. This can include: - Notifying users prior to downloading updates. @@ -891,7 +891,7 @@ This can include: - Automatically downloading and restarting devices without user interaction. - Turning off automatic updates. This option should be used only for systems under regulatory compliance. The device will not receive any updates. -In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, etc.) or on a specific what [day of the week](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, etc.). +In addition, in version 1607, you can configure when the update is applied to the employee device to ensure updates installs or reboots don’t interrupt business or worker productivity. Update installs and reboots can be scheduled [outside of active hours](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ActiveHoursEnd) (supported values are 0-23, where 0 is 12am, 1 is 1am, etc.) or on a specific what [day of the week](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Update_ScheduledInstallDay) (supported values are 0-7, where 0 is every day, 1 is Sunday, 2 is Monday, etc.). **Managing the source of updates with MDM** @@ -909,7 +909,7 @@ IT administrators can specify where the device gets updates from with AllowUpdat When using WSUS, set **UpdateServiceUrl** to allow the device to check for updates from a WSUS server instead of Windows Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet, usually handheld devices used for task completion, or other Windows IoT devices. -Learn more about [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx) +Learn more about [managing updates with Windows Server Update Services (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx) **Querying the device update status** @@ -1055,7 +1055,7 @@ If you choose to completely wipe a device when lost or when an employee leaves t A better option than wiping the entire device is to use Windows Information Protection to clean corporate-only data from a personal device. As explained in the Apps chapter, all corporate data will be tagged and when the device is unenrolled from your MDM system of your choice, all enterprise encrypted data, apps, settings and profiles will immediately be removed from the device without affecting the employee’s existing personal data. A user can initiate unenrollment via the settings screen or unenrollment action can be taken by IT from within the MDM management console. Unenrollment is a management event and will be reported to the MDM system. -**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. +**Corporate device:** You can certainly remotely expire the user’s encryption key in case of device theft, but please remember that will also make the encrypted data on other Windows devices unreadable for the user. A better approach for retiring a discarded or lost device is to execute a full device wipe. The help desk or device users can initiate a full device wipe. When the wipe is complete, Windows 10 Mobile returns the device to a clean state and restarts the OOBE process. **Settings for personal or corporate device retirement** - **Allow manual MDM unenrollment** Whether users are allowed to delete the workplace account (i.e., unenroll the device from the MDM system) diff --git a/windows/client-management/windows-10-support-solutions.md b/windows/client-management/windows-10-support-solutions.md index c212eae7d8..d540b098dd 100644 --- a/windows/client-management/windows-10-support-solutions.md +++ b/windows/client-management/windows-10-support-solutions.md @@ -7,45 +7,54 @@ ms.sitesec: library ms.author: elizapo author: kaushika-msft ms.localizationpriority: medium -ms.date: 11/08/2017 +ms.date: 11/08/2018 --- # Top support solutions for Windows 10 Microsoft regularly releases both updates and solutions for Windows 10. To ensure your computers can receive future updates, including security updates, it's important to keep them updated. Check out the following links for a complete list of released updates: -- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124/) -- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825/) -- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824/) +- [Windows 10 version 1803 update history](https://support.microsoft.com/help/4099479) +- [Windows 10 version 1709 update history](https://support.microsoft.com/help/4043454) +- [Windows 10 Version 1703 update history](https://support.microsoft.com/help/4018124) +- [Windows 10 Version 1607 update history](https://support.microsoft.com/help/4000825) +- [Windows 10 Version 1511 update history](https://support.microsoft.com/help/4000824) These are the top Microsoft Support solutions for the most common issues experienced when using Windows 10 in an enterprise or IT pro environment. The links below include links to KB articles, updates, and library articles. -## Solutions related to installing Windows updates or hotfixes -- [Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760/understanding-the-windowsupdate-log-file-for-advanced-users) -- [You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) -- [Get-WindowsUpdateLog](https://technet.microsoft.com/itpro/powershell/windows/windowsupdate/get-windowsupdatelog) -- [How to read the Windowsupdate.log file](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) -- [Can't download updates from Windows Update from behind a firewall or proxy server](https://support.microsoft.com/help/3084568/can-t-download-updates-from-windows-update-from-behind-a-firewall-or-p) -- [Computer staged from a SysPrepped image doesn't receive WSUS updates](https://support.microsoft.com/help/4010909/computer-staged-from-a-sysprepped-image-doesn-t-receive-wsus-updates) -- [Servicing stack update for Windows 10 Version 1703: June 13, 2017](https://support.microsoft.com/help/4022405/servicingstackupdateforwindows10version1703june13-2017) -- [Servicing stack update for Windows 10 Version 1607 and Windows Server 2016: March 14, 2017](https://support.microsoft.com/help/4013418/servicing-stack-update-for-windows-10-version-1607-and-windows-server) +## Solutions related to installing Windows Updates +- [How does Windows Update work](https://docs.microsoft.com/en-us/windows/deployment/update/how-windows-update-works) +- [Windows Update log files](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-logs) +- [Windows Update troubleshooting](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-troubleshooting) +- [Windows Update common errors and mitigation](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-errors) +- [Windows Update - additional resources](https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources) + +## Solutions related to installing or upgrading Windows + +- [Quick Fixes](https://docs.microsoft.com/en-us/windows/deployment/upgrade/quick-fixes) +- [Troubleshooting upgrade errors](https://docs.microsoft.com/en-us/windows/deployment/upgrade/troubleshoot-upgrade-errors) +- [Resolution procedures](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolution-procedures) +- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/en-in/help/3194588/0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) +- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/en-in/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) + +## Solutions related to BitLocker + +- [BitLocker recovery guide](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan) +- [BitLocker: How to enable Network Unlock](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock) +- [BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker) +- [BitLocker Group Policy settings](https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) ## Solutions related to Bugchecks or Stop Errors - [Troubleshooting Stop error problems for IT Pros](https://support.microsoft.com/help/3106831/troubleshooting-stop-error-problems-for-it-pros) - [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) - [How to troubleshoot Windows-based computer freeze issues](https://support.microsoft.com/help/3118553/how-to-troubleshoot-windows-based-computer-freeze-issues) -- [Understanding Bugchecks](https://blogs.technet.microsoft.com/askperf/2007/12/18/understanding-bugchecks/) -- [Understanding Crash Dump Files](https://blogs.technet.microsoft.com/askperf/2008/01/08/understanding-crash-dump-files/) +- [Introduction of page file in Long-Term Servicing Channel and Semi-Annual Channel of Windows](https://support.microsoft.com/help/4133658) + + +## Solutions related to Windows Boot issues +- [Troubleshooting Windows boot problems for IT Pros](https://support.microsoft.com/help/4343769) +- [How to use Windows Recovery Environment (WinRE) to troubleshoot common startup issues](https://support.microsoft.com/help/4026030/how-to-use-windows-recovery-environment-winre-to-troubleshoot-common-s) -## Solutions related to installing or upgrading Windows -- [Resolve Windows 10 upgrade errors : Technical information for IT Pros](/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) -- [Windows OOBE fails when you start a new Windows-based computer for the first time](https://support.microsoft.com/help/4020048/windows-oobe-fails-when-you-start-a-new-windows-based-computer-for-the) -- ["0xc1800118" error when you push Windows 10 Version 1607 by using WSUS](https://support.microsoft.com/help/3194588/-0xc1800118-error-when-you-push-windows-10-version-1607-by-using-wsus) -- [0xC1900101 error when Windows 10 upgrade fails after the second system restart](https://support.microsoft.com/help/3208485/0xc1900101-error-when-windows-10-upgrade-fails-after-the-second-system) -- [Updates fix in-place upgrade to Windows 10 version 1607 problem](https://support.microsoft.com/help/4020149/updates-fix-in-place-upgrade-to-windows-10-version-1607-problem) -- [OOBE update for Windows 10 Version 1703: May 9, 2017](https://support.microsoft.com/help/4020008) -- [OOBE update for Windows 10 Version 1607: May 30, 2017](https://support.microsoft.com/help/4022632) -- [OOBE update for Windows 10 Version 1511: May 30, 2017](https://support.microsoft.com/help/4022633) ## Solutions related to configuring or managing the Start menu - [Manage Windows 10 Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies) @@ -57,7 +66,8 @@ These are the top Microsoft Support solutions for the most common issues experie - [Modern apps are blocked by security software when you start the applications on Windows 10 Version 1607](https://support.microsoft.com/help/4016973/modern-apps-are-blocked-by-security-software-when-you-start-the-applic) ## Solutions related to wireless networking and 802.1X authentication - +- [Advanced Troubleshooting Wireless Network](Connectivity]https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-wireless-network-connectivity) +- [Advanced Troubleshooting 802.1x Authentication](https://docs.microsoft.com/en-us/windows/client-management/advanced-troubleshooting-802-authentication) +- [Troubleshooting Windows 802.11 Wireless Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc766215(v=ws.10)) +- [Troubleshooting Windows Secure 802.3 Wired Connections](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749352(v%3dws.10)) - [Windows 10 devices can't connect to an 802.1X environment](https://support.microsoft.com/kb/3121002) -- [Windows 10 wireless connection displays "Limited" status](https://support.microsoft.com/kb/3114149) -- [Computer that has VPN software installed can't detect wireless network after upgrading to Windows 10](https://support.microsoft.com/kb/3084164) diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index c1f35268c3..54bb8122b7 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -12,10 +12,10 @@ ms.date: 04/30/2018 # What version of Windows am I running? -To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. +To determine if your device is enrolled in the [Long-Term Servicing Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [Semi-Annual Channel](https://docs.microsoft.com/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties -Click **Start** > **Settings** > **Settings** > click **About** from the bottom of the left-hand menu +Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index b388b128cd..c2226fc484 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -1,5 +1,21 @@ # [Configure Windows 10](index.md) -## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) +## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) +## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) +## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) +### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) +#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) +#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) +#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) +#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) +#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) +#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md) +#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) +### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md) +### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md) +### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md) +### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) +### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) +### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) ## [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) ## [Configure kiosks and digital signs on Windows desktop editions](kiosk-methods.md) ### [Prepare a device for kiosk configuration](kiosk-prepare.md) @@ -16,46 +32,18 @@ #### [Use Shell Launcher to create a Windows 10 kiosk](kiosk-shelllauncher.md) #### [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) #### [Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) -## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) -### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) -### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) -#### [NFC-based device provisioning](mobile-devices/provisioning-nfc.md) -#### [Barcode provisioning and the package splitter tool](mobile-devices/provisioning-package-splitter.md) -### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md) -### [Configure Windows 10 Mobile using Lockdown XML](mobile-devices/lockdown-xml.md) -### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md) -### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md) -### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) -## [Configure cellular settings for tablets and PCs](provisioning-apn.md) -## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) -### [Configure Windows Spotlight on the lock screen](windows-spotlight.md) -### [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) -### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) -#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) -#### [Customize and export Start layout](customize-and-export-start-layout.md) -#### [Add image for secondary tiles](start-secondary-tiles.md) -#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) -#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) -#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -#### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) -### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md) -#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md) -#### [Test scenario 2 - Perform a quick search with Cortana at work](cortana-at-work/cortana-at-work-scenario-2.md) -#### [Test scenario 3 - Set a reminder for a specific location using Cortana at work](cortana-at-work/cortana-at-work-scenario-3.md) -#### [Test scenario 4 - Use Cortana at work to find your upcoming meetings](cortana-at-work/cortana-at-work-scenario-4.md) -#### [Test scenario 5 - Use Cortana to send email to a co-worker](cortana-at-work/cortana-at-work-scenario-5.md) -#### [Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email](cortana-at-work/cortana-at-work-scenario-6.md) -#### [Test scenario 7 - Use Cortana and Windows Information Protection (WIP) to help protect your organization’s data on a device](cortana-at-work/cortana-at-work-scenario-7.md) -### [Set up and test Cortana with Office 365 in your organization](cortana-at-work/cortana-at-work-o365.md) -### [Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization](cortana-at-work/cortana-at-work-crm.md) -### [Set up and test Cortana for Power BI in your organization](cortana-at-work/cortana-at-work-powerbi.md) -### [Set up and test custom voice commands in Cortana for your organization](cortana-at-work/cortana-at-work-voice-commands.md) -### [Use Group Policy and mobile device management (MDM) settings to configure Cortana in your organization](cortana-at-work/cortana-at-work-policy-settings.md) -### [Send feedback about Cortana at work back to Microsoft](cortana-at-work/cortana-at-work-feedback.md) -## [Configure access to Microsoft Store](stop-employees-from-using-microsoft-store.md) -## [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) +## [Configure Windows Spotlight on the lock screen](windows-spotlight.md) +## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md) +## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) +### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) +### [Customize and export Start layout](customize-and-export-start-layout.md) +### [Add image for secondary tiles](start-secondary-tiles.md) +### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) +### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) +### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) +### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +### [Troubleshoot Start menu errors](start-layout-troubleshoot.md) +### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) ## [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md) ### [How provisioning works in Windows 10](provisioning-packages/provisioning-how-it-works.md) ### [Introduction to configuration service providers (CSPs)](provisioning-packages/how-it-pros-can-use-configuration-service-providers.md) @@ -70,10 +58,10 @@ ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md) ### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) ### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md) +#### [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md) #### [AccountManagement](wcd/wcd-accountmanagement.md) #### [Accounts](wcd/wcd-accounts.md) #### [ADMXIngestion](wcd/wcd-admxingestion.md) -#### [ApplicationManagement](wcd/wcd-applicationmanagement.md) #### [AssignedAccess](wcd/wcd-assignedaccess.md) #### [AutomaticTime](wcd/wcd-automatictime.md) #### [Browser](wcd/wcd-browser.md) @@ -99,8 +87,10 @@ #### [Folders](wcd/wcd-folders.md) #### [HotSpot](wcd/wcd-hotspot.md) #### [InitialSetup](wcd/wcd-initialsetup.md) -#### [InternetExplorer](wcd/wcd-internetexplorer.md) -#### [Licensing](wcd/wcd-licensing.md) +#### [InternetExplorer](wcd/wcd-internetexplorer.md) +#### [KioskBrowser](wcd/wcd-kioskbrowser.md) +#### [Licensing](wcd/wcd-licensing.md) +#### [Location](wcd/wcd-location.md) #### [Maps](wcd/wcd-maps.md) #### [Messaging](wcd/wcd-messaging.md) #### [ModemConfigurations](wcd/wcd-modemconfigurations.md) @@ -134,6 +124,7 @@ #### [WindowsTeamSettings](wcd/wcd-windowsteamsettings.md) #### [WLAN](wcd/wcd-wlan.md) #### [Workplace](wcd/wcd-workplace.md) +## [Configure cellular settings for tablets and PCs](provisioning-apn.md) ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) ## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md) ### [Get Started with UE-V](ue-v/uev-getting-started.md) @@ -162,4 +153,15 @@ #### [Synchronizing Microsoft Office with UE-V](ue-v/uev-synchronizing-microsoft-office-with-uev.md) #### [Application Template Schema Reference for UE-V](ue-v/uev-application-template-schema-reference.md) #### [Security Considerations for UE-V](ue-v/uev-security-considerations.md) +## [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) +## [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) +### [Set up a kiosk on Windows 10 Mobile or Windows 10 Mobile Enterprise](mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) +### [Use Windows Configuration Designer to configure Windows 10 Mobile devices](mobile-devices/provisioning-configure-mobile.md) +#### [NFC-based device provisioning](mobile-devices/provisioning-nfc.md) +#### [Barcode provisioning and the package splitter tool](mobile-devices/provisioning-package-splitter.md) +### [Use the Lockdown Designer app to create a Lockdown XML file](mobile-devices/mobile-lockdown-designer.md) +### [Configure Windows 10 Mobile using Lockdown XML](mobile-devices/lockdown-xml.md) +### [Settings and quick actions that can be locked down in Windows 10 Mobile](mobile-devices/settings-that-can-be-locked-down.md) +### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md) +### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md) ## [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 469b9d0261..d7be6815e1 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -10,13 +10,31 @@ ms.localizationpriority: medium author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 09/17/2018 +ms.date: 11/07/2018 --- # Change history for Configure Windows 10 This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## Novermber 2018 + +New or changed topic | Description +--- | --- +[Use MDM Bridge WMI Provider to create a Windows 10 kiosk](kiosk-mdm-bridge.md) | Updated script. + +## October 2018 + +New or changed topic | Description +--- | --- +[Troubleshoot multi-app kiosk](multi-app-kiosk-troubleshoot.md) and [Set up a single-app kiosk](kiosk-single-app.md) | Added event log path for auto-logon issues. + +## RELEASE: Windows 10, version 1809 + +The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added: + +- [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md) + ## September 2018 New or changed topic | Description diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index 2317f9ef8e..603ee4e60e 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -6,7 +6,7 @@ keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: coreyp +author: coreyp-at-msft ms.author: coreyp ms.topic: article ms.localizationpriority: medium diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index d03fac5bee..22fa51421a 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -30,9 +30,9 @@ To enable voice commands in Cortana Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background. - - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana). + - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana). - - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). + - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana). 2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 4c3a24a318..fbea8c5ef0 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -10,7 +10,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 09/18/2018 --- # Customize and export Start layout @@ -132,6 +132,8 @@ When you have the Start layout that you want your users to see, use the [Export- +3. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file are critical.](start-layout-xml-desktop.md#required-order) + >[!IMPORTANT] >If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path. diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 9234ee8d90..e047635740 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -88,8 +88,8 @@ The following Windows PowerShell commands demonstrate how you can call the listA listAumids # Get a list of AUMIDs for an account named “CustomerAccount”: -listAumids(“CustomerAccount”) +listAumids("CustomerAccount") # Get a list of AUMIDs for all accounts on the device: -listAumids(“allusers”) +listAumids("allusers") ``` diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 4c7f8bc3ee..06a64d0755 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -9,7 +9,7 @@ author: jdeckerms ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 08/15/2018 +ms.date: 10/02/2018 --- # Guidelines for choosing an app for assigned access (kiosk mode) @@ -43,10 +43,12 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) + +In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. >[!NOTE] ->Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. +>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education). @@ -134,8 +136,6 @@ Entry | Result ### Other browsers ->[!NOTE] ->Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not currently supported for assigned access. You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app: diff --git a/windows/configuration/images/enable-assigned-access-log.png b/windows/configuration/images/enable-assigned-access-log.png new file mode 100644 index 0000000000..d16f04c43a Binary files /dev/null and b/windows/configuration/images/enable-assigned-access-log.png differ diff --git a/windows/configuration/images/start-ts-1.png b/windows/configuration/images/start-ts-1.png new file mode 100644 index 0000000000..ca04fc7f77 Binary files /dev/null and b/windows/configuration/images/start-ts-1.png differ diff --git a/windows/configuration/images/start-ts-2.png b/windows/configuration/images/start-ts-2.png new file mode 100644 index 0000000000..56e1ff05d1 Binary files /dev/null and b/windows/configuration/images/start-ts-2.png differ diff --git a/windows/configuration/images/start-ts-3.png b/windows/configuration/images/start-ts-3.png new file mode 100644 index 0000000000..e62bb90aa2 Binary files /dev/null and b/windows/configuration/images/start-ts-3.png differ diff --git a/windows/configuration/images/start-ts-4.png b/windows/configuration/images/start-ts-4.png new file mode 100644 index 0000000000..71316899fd Binary files /dev/null and b/windows/configuration/images/start-ts-4.png differ diff --git a/windows/configuration/images/start-ts-5.jpg b/windows/configuration/images/start-ts-5.jpg new file mode 100644 index 0000000000..61292cac4b Binary files /dev/null and b/windows/configuration/images/start-ts-5.jpg differ diff --git a/windows/configuration/images/start-ts-6.png b/windows/configuration/images/start-ts-6.png new file mode 100644 index 0000000000..d124d38fed Binary files /dev/null and b/windows/configuration/images/start-ts-6.png differ diff --git a/windows/configuration/images/start-ts-7.png b/windows/configuration/images/start-ts-7.png new file mode 100644 index 0000000000..0c85959912 Binary files /dev/null and b/windows/configuration/images/start-ts-7.png differ diff --git a/windows/configuration/index.md b/windows/configuration/index.md index 11ec530a2c..6517e9e14f 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -21,17 +21,19 @@ Enterprises often need to apply custom configurations to devices for their users | Topic | Description | | --- | --- | -| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10. | +| [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. | +| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. | +| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | | [Set up a shared or guest PC with Windows 10](set-up-shared-or-guest-pc.md) | Windows 10, version 1607, introduced *shared PC mode*, which optimizes Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. | | [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. | -| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | -| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | -| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. | -| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. | -| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. | -| [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. | +| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

      **Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | +| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. | +| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | | [Provisioning packages for Windows 10](provisioning-packages/provisioning-packages.md) | Learn how to use the Windows Configuration Designer and provisioning packages to easily configure multiple devices. | +| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. | | [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) | Many of the lockdown features available in Windows Embedded 8.1 Industry have been modified in some form for Windows 10. | +| [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.| +| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. | | [Change history for Configure Windows 10](change-history-for-configure-windows-10.md) | This topic lists new and updated topics in the Configure Windows 10 documentation for Windows 10 and Windows 10 Mobile. | diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md index d2c46dcb4c..bb333f0c3f 100644 --- a/windows/configuration/kiosk-mdm-bridge.md +++ b/windows/configuration/kiosk-mdm-bridge.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 11/07/2018 --- # Use MDM Bridge WMI Provider to create a Windows 10 kiosk @@ -81,6 +81,6 @@ $obj.Configuration = @" </Configs> </AssignedAccessConfiguration> "@ - + Set-CimInstance -CimInstance $obj ``` diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index a142517a28..8f2904b128 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -16,7 +16,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t | | | --- | --- - | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

      When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

      A single-app kiosk is ideal for public use.

      (Using [ShellLauncher WMI](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) + | **A single-app kiosk**, which runs a single Universal Windows Platform (UWP) app in fullscreen above the lockscreen. People using the kiosk can see only that app.

      When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart.

      A single-app kiosk is ideal for public use.

      (Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen.) | ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png) | **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types.

      A multi-app kiosk is appropriate for devices that are shared by multiple people.

      When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. | ![Illustration of a kiosk Start screen](images/kiosk-desktop.png) Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. @@ -47,7 +47,7 @@ You can use this method | For this edition | For this kiosk account type You can use this method | For this edition | For this kiosk account type --- | --- | --- [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | Ent, Edu | Local standard user, Active Directory, Azure AD -[ShellLauncher WMI](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD +[Shell Launcher](kiosk-shelllauncher.md) | Ent, Edu | Local standard user, Active Directory, Azure AD [Microsoft Intune or other mobile device management (MDM)](kiosk-single-app.md#mdm) | Pro (version 1709), Ent, Edu | Local standard user, Azure AD @@ -68,7 +68,7 @@ Method | App type | Account type | Single-app kiosk | Multi-app kiosk [The kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | X | X Microsoft Intune or other MDM [for full-screen single-app kiosk](kiosk-single-app.md#mdm) or [for multi-app kiosk with desktop](lock-down-windows-10-to-specific-apps.md) | UWP, Windows desktop app | Local standard user, Azure AD | X | X -[ShellLauncher WMI](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | +[Shell Launcher](kiosk-shelllauncher.md) |Windows desktop app | Local standard user, Active Directory, Azure AD | X | [MDM Bridge WMI Provider](kiosk-mdm-bridge.md) | UWP, Windows desktop app | Local standard user, Active Directory, Azure AD | | X diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 18b9247b19..8eef8af221 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -61,7 +61,7 @@ Remove All Programs list from the Start Menu | Enabled – Remove and disable s Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. @@ -75,7 +75,7 @@ Setting | Value | System-wide [Experience/AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | 0 - Not allowed | Yes [Start/AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | 0 - Shortcut is hidden and disables the setting in the Settings app | Yes Start/HidePeopleBar | 1 - True (hide) | No -[Start/HideChangeAccountSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes +[Start/HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings) | 1 - True (hide) | Yes [WindowsInkWorkspace/AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowsinkworkspace#windowsinkworkspace-allowwindowsinkworkspace) | 0 - Access to ink workspace is disabled and the feature is turned off | Yes [Start/StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-startlayout) | Configuration dependent | No [WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui) | <Enabled/> | Yes diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index e4e836e249..986da71577 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/02/2018 --- # Prepare a device for kiosk configuration @@ -28,15 +28,22 @@ For a more secure kiosk experience, we recommend that you make the following con Recommendation | How to --- | --- -Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

      `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`

      [Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)

      You must restart the device after changing the registry. +Hide update notifications
      (New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
      -or-
      Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
      -or-
      Add the following registry keys as DWORD (32-bit) type:
      `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings. +Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:

      `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled` Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign. -Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools. +Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](https://docs.microsoft.com/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen) Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**. Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.** Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**. Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**. Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.

      **NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**. +## Enable logging + +Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. + +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) + ## Automatic logon In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in. diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md index 30bb50f7de..02c0137f83 100644 --- a/windows/configuration/kiosk-shelllauncher.md +++ b/windows/configuration/kiosk-shelllauncher.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/01/2018 --- # Use Shell Launcher to create a Windows 10 kiosk @@ -25,13 +25,23 @@ ms.date: 07/30/2018 Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. >[!NOTE] +>Using the Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components. +> +>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to: +>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools +>- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies +>- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies +> >You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard). + + +### Requirements + >[!WARNING] >- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image. ->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - -### Requirements +> +>- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. - A domain or local user account. diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md index dc55bd5004..4af964b132 100644 --- a/windows/configuration/kiosk-single-app.md +++ b/windows/configuration/kiosk-single-app.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/09/2018 --- # Set up a single-app kiosk @@ -28,7 +28,7 @@ You have several options for configuring your single-app kiosk. Method | Description --- | --- -[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

      This method is supported on Windows 10 Pro, Enterprise, and Education. +[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.

      This method is supported on Windows 10 Pro, Enterprise, and Education. [PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.

      This method is supported on Windows 10 Pro, Enterprise, and Education. [The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.

      This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. [Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.

      This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education. @@ -48,7 +48,45 @@ Method | Description > >Account type: Local standard user -You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) +You can use **Settings** to quickly configure one or a few devices as a kiosk. + +When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. + +- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. + +- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. + +![Screenshot of automatic sign-in setting](images/auto-signin.png) + +### Instructions for Windows 10, version 1809 + +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time. + +**To set up assigned access in PC settings** + +1. Go to **Start** > **Settings** > **Accounts** > **Other users**. + +2. Select **Set up a kiosk > Assigned access**, and then select **Get started**. + +3. Enter a name for the new account. + + >[!NOTE] + >If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**. + +4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options: + + - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser) + - Which URL should be displayed when the kiosk accounts signs in + - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser) + +5. Select **Close**. + +To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**. + + +### Instructions for Windows 10, version 1803 and earlier + +When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) ![The Set up assigned access page in Settings](images/kiosk-settings.png) @@ -56,7 +94,7 @@ You can use **Settings** to quickly configure one or a few devices as a kiosk. 1. Go to **Start** > **Settings** > **Accounts** > **Other people**. -2. Choose **Set up assigned access**. +2. Select **Set up assigned access**. 3. Choose an account. @@ -66,13 +104,7 @@ You can use **Settings** to quickly configure one or a few devices as a kiosk. To remove assigned access, choose **Turn off assigned access and sign out of the selected account**. -When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts. -- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do. - -- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device. - -![Screenshot of automatic sign-in setting](images/auto-signin.png) @@ -153,7 +185,7 @@ Clear-AssignedAccess >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Windows desktop application. @@ -168,7 +200,7 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des ![step three](images/three.png) ![account management](images/account-management.png)

      Enable account management if you want to configure settings on this page.

      **If enabled:**

      You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the device

      To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.

      Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

      **Warning:** You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.

      To create a local administrator account, select that option and enter a user name and password.

      **Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. ![join Active Directory, Azure AD, or create a local admin account](images/account-management-details.png) ![step four](images/four.png) ![add applications](images/add-applications.png)

      You can provision the kiosk app in the **Add applications** step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md)

      **Warning:** If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in **Installer Path**, and then a **Cancel** button becomes available, allowing you to complete the provisioning package without an application. ![add an application](images/add-applications-details.png) ![step five](images/five.png) ![add certificates](images/add-certificates.png)

      To provision the device with a certificate for the kiosk app, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.![add a certificate](images/add-certificates-details.png) -![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

      You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

      If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts.

      In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.![Configure kiosk account and app](images/kiosk-account-details.png) +![step six](images/six.png) ![Configure kiosk account and app](images/kiosk-account.png)

      You can create a local standard user account that will be used to run the kiosk app. If you toggle **No**, make sure that you have an existing user account to run the kiosk app.

      If you want to create an account, enter the user name and password, and then toggle **Yes** or **No** to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**.)

      In **Configure the kiosk mode app**, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.![Configure kiosk account and app](images/kiosk-account-details.png) ![step seven](images/seven.png) ![configure kiosk common settings](images/kiosk-common.png)

      On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.![set tablet mode and configure welcome and shutdown and turn off timeout settings](images/kiosk-common-details.png) ![finish](images/finish.png)

      You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.![Protect your package](images/finish-details.png) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 9be99277a6..93ac3c9bf4 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/02/2018 ms.author: jdecker ms.topic: article --- @@ -24,11 +24,14 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1803. +>Updated for Windows 10, version 1809. ```xml - + @@ -44,6 +47,9 @@ ms.topic: article + + + @@ -56,7 +62,7 @@ ms.topic: article @@ -80,7 +86,7 @@ ms.topic: article - + @@ -117,7 +123,7 @@ ms.topic: article - + @@ -134,7 +140,6 @@ ms.topic: article - ``` ## Kiosk only sample XML @@ -142,6 +147,7 @@ ms.topic: article @@ -161,7 +167,7 @@ ms.topic: article ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1803. +>Updated for Windows 10, version 1809. ```xml @@ -170,136 +176,206 @@ ms.topic: article xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config" + xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config" targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config" > - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` - - - - - - - - - - - - +## XSD schema for new elements in Windows 10, version 1809 - - - - - - - - - - +```xml + + - - - - - - - - - - + + + + + - - - - + + + - - - + + + + + - - - + - - - - - + - - - - - + - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ``` \ No newline at end of file diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 7793d23b83..eb93365fca 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 01/04/2019 ms.author: jdecker ms.topic: article --- @@ -22,13 +22,17 @@ ms.topic: article - Windows 10 Pro, Enterprise, and Education -A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also: +A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. + +The following table lists changes to multi-app kiosk in recent updates. + +New features and improvements | In update +--- | --- +- Configure [a single-app kiosk profile](#profile) in your XML file

      - Assign [group accounts to a config profile](#config-for-group-accounts)

      - Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 +- Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)

      - [Automatically launch an app](#allowedapps) when the user signs in

      - Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809

      **Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`. + -- Configure [a single-app kiosk profile](#profile) in your XML file. -- Assign [group accounts to a config profile](#config-for-group-accounts). -- Configure [an account to sign in automatically](#config-for-autologon-account). -The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. >[!WARNING] >The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access. @@ -100,11 +104,14 @@ Let's start by looking at the basic structure of the XML file. ![profile = app and config = account](images/profile-config.png) -You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. +You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md) ```xml - + @@ -136,6 +143,8 @@ A lockdown profile section in the XML has the following entries: - [**AllowedApps**](#allowedapps) +- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions) + - [**StartLayout**](#startlayout) - [**Taskbar**](#taskbar) @@ -160,22 +169,22 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can ##### AllowedApps -**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. +**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. -Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. ->[!NOTE] ->You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. - For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%). +- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample). -Here are the predefined assigned access AppLocker rules for **UWP apps**: +When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**: 1. Default rule is to allow all users to launch the signed package apps. 2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. >[!NOTE] + >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration. + > >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. Here are the predefined assigned access AppLocker rules for **desktop apps**: @@ -184,8 +193,9 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**: 2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. 3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list. -The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device. +The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. + ```xml @@ -195,11 +205,41 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula - + ``` +##### FileExplorerNamespaceRestrictions + +Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. + +The following example shows how to allow user access to the Downloads folder in the common file dialog box. + +```xml + + + + + + ... + + + + + + + ... + + + + + +``` + ##### StartLayout After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. @@ -275,7 +315,7 @@ The following example hides the taskbar: ``` >[!IMPORTANT] ->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Direcotry account could potentially compromise confidential information. +>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information. #### Configs @@ -297,7 +337,8 @@ You can assign: When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart. -On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) + +The following example shows how to specify an account to sign in automatically. ```xml @@ -308,8 +349,22 @@ On domain-joined devices, local user accounts aren't shown on the sign-in screen ``` +In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World". + +```xml + + + + + + +``` + +On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).) + + >[!IMPORTANT] ->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). +>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows). ##### Config for individual accounts @@ -344,7 +399,7 @@ Before applying the multi-app configuration, make sure the specified user accoun Group accounts are specified using ``. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in ``, user A will not have the kiosk experience. -- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. +- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied. ```xml @@ -361,7 +416,7 @@ Group accounts are specified using ``. Nested groups are not supporte ``` -- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. +- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in. ```xml @@ -564,7 +619,7 @@ Remove All Programs list from the Start Menu | Enabled – Remove and disable s Prevent access to drives from My Computer | Enabled - Restrict all drivers >[!NOTE] ->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears expalining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. +>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics. diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index 1628b1c866..93605b8aea 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -38,12 +38,12 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

      [Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

      -N/A +[HORM](https://docs.microsoft.com/windows-hardware/customize/enterprise/hibernate-once-resume-many-horm-)

      HORM is supported in Windows 10, version 1607 and later.

      [Unified Write Filter](https://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

      -[Unified Write Filter](https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001.aspx) +[Unified Write Filter](https://msdn.microsoft.com/library/windows/hardware/mt572001.aspx)

      The Unified Write Filter is continued in Windows 10.

      @@ -100,7 +100,7 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

      [Gesture Filter](https://go.microsoft.com/fwlink/p/?LinkId=626672): block swipes from top, left, and right edges of screen

      MDM and Group Policy -

      In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy.

      +

      In Windows 8.1, gestures provided the ability to close an app, to switch apps, and to reach the Charms. In Windows 10, Charms have been removed. In Windows 10, version 1607, you can block swipes using the [Allow edge swipe](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#LockDown_AllowEdgeSwipe) policy.

      [Custom Logon]( https://go.microsoft.com/fwlink/p/?LinkId=626759): suppress Windows UI elements during Windows sign-on, sign-off, and shutdown

      diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 0c704c06f5..77c814e0b7 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -36,7 +36,7 @@ Since its inception, Windows 10 has included a number of user experience feature >[!TIP] > On all Windows desktop editions, users can directly enable and disable Windows 10 tips, "fun facts", and suggestions and Microsoft Store suggestions. For example, users are able to select personal photos for the lock screen as opposed to the images provided by Microsoft, or turn off tips, "fun facts", or suggestions as they use Windows. -Windows 10, version 1607 (also known as the Anniversary Update), provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. +Windows 10 provides organizations the ability to centrally manage the type of content provided by these features through Group Policy or mobile device management (MDM). The following table describes how administrators can manage suggestions and tips in Windows 10 commercial and education editions. ## Options available to manage Windows 10 tips and "fun facts" and Microsoft Store suggestions @@ -54,7 +54,7 @@ Windows 10, version 1607 (also known as the Anniversary Update), provides organi - [Manage Windows 10 Start layout](windows-10-start-layout-options-and-policies.md) - [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) - [Windows spotlight on the lock screen](windows-spotlight.md) -- [Windows 10 editions for education customers](https://technet.microsoft.com/en-us/edu/windows/windows-editions-for-education-customers) +- [Windows 10 editions for education customers](https://technet.microsoft.com/edu/windows/windows-editions-for-education-customers)   diff --git a/windows/configuration/multi-app-kiosk-troubleshoot.md b/windows/configuration/multi-app-kiosk-troubleshoot.md index 6857cf8aac..d724cae559 100644 --- a/windows/configuration/multi-app-kiosk-troubleshoot.md +++ b/windows/configuration/multi-app-kiosk-troubleshoot.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: edu, security author: jdeckerms ms.localizationpriority: medium -ms.date: 07/30/2018 +ms.date: 10/09/2018 ms.author: jdecker ms.topic: article --- @@ -34,7 +34,14 @@ For example: 1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). 2. Verify that the account (config) is mapped to a profile in the configuration XML file. 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. +4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png) + + +## Automatic logon issues + +Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. ## Apps configured in AllowedList are blocked diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index cb66bfc3e5..b70f4fd66c 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -27,7 +27,7 @@ The CSPs are documented on the [Hardware Dev Center](https://go.microsoft.com/fw >[!NOTE]   >The explanation of CSPs and CSP documentation also apply to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile. - [See what's new for CSPs in Windows 10, version 1607.](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whatsnew_1607) + [See what's new for CSPs in Windows 10, version 1809.](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809) ## What is a CSP? diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index 4783fe006b..aa66879976 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -9,7 +9,7 @@ author: jdeckerms ms.author: jdecker ms.topic: article ms.localizationpriority: medium -ms.date: 07/27/2017 +ms.date: 10/02/2018 --- # Set up a shared or guest PC with Windows 10 @@ -76,6 +76,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re | Customization: SetPowerPolicies | When set as **True**:
      - Prevents users from changing power settings
      - Turns off hibernate
      - Overrides all power state transitions to sleep (e.g. lid close) | | Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. | | Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. | +[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. ##Configuring shared PC mode on Windows @@ -88,7 +89,7 @@ You can configure Windows to be in shared PC mode in a couple different ways: ![Shared PC settings in ICD](images/icd-adv-shared-pc.png) -- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For example, open PowerShell as an administrator and enter the following: +- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following: ``` $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC" diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index d5ea73a4a8..0b0e15e263 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -8,7 +8,7 @@ ms.mktglfcycl: manage ms.sitesec: library author: jdeckerms ms.localizationpriority: medium -ms.date: 08/03/2018 +ms.date: 10/02/2018 --- # Set up digital signs on Windows 10 @@ -20,7 +20,7 @@ ms.date: 08/03/2018 Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed. -For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. +For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content. >[!TIP] >Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers). diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md new file mode 100644 index 0000000000..635ee7e17a --- /dev/null +++ b/windows/configuration/start-layout-troubleshoot.md @@ -0,0 +1,313 @@ +--- +title: Troubleshoot Start menu errors +description: Troubleshoot common errors related to Start menu in Windows 10. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.author: kaushika +author: kaushika-msft +ms.localizationpriority: medium +ms.date: 12/03/18 +--- + +# Troubleshoot Start Menu errors + +Start failures can be organized into these categories: + +- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover. +- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources. +- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](https://docs.microsoft.com/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data. +- **Hangs** in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start will not have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario. +- **Other issues** - Customization, domain policies, deployment issues. + +## Basic troubleshooting + +When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they are not working as expected. When experiencing issues where the Start Menu or sub-component are not working, there are some quick tests to narrow down where the issue may reside. + +### Check the OS and update version + +- Is the system running the latest Feature and Cumulative Monthly update? +- Did the issue start immediately after an update? Ways to check: + - Powershell:[System.Environment]::OSVersion.Version + - WinVer from CMD.exe + + + +### Check if Start is installed + +- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully. + +- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this is to look for output from these two PS commands: + + - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` + - `get-AppXPackage -Name Microsoft.Windows.Cortana` + + ![Example of output from cmdlets](images/start-ts-1.png) + + Failure messages will appear if they are not installed + +- If Start is not installed the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there is a choice to save to delete user data), or restoring from backup. There is no supported method to install Start Appx files. The results are often problematic and unreliable. + +### Check if Start is running + +If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications. +- `get-process -name shellexperiencehost` +- `get-process -name searchui` + +If it is installed but not running, test booting into safe mode or use MSCONFIG to eliminate 3rd party or additional drivers and applications. + +### Check whether the system a clean install or upgrade + +- Is this system an upgrade or clean install? + - Run `test-path "$env:windir\panther\miglog.xml"` + - If that file does not exist, the system is a clean install. +- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"` + + +### Check if Start is registered or activated + +- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet: + - Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana + - "Package was not found" + - "Invalid value for registry" + - "Element not found" + - "Package could not be registered" + +If these events are found, Start is not activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary. + +### Other things to consider + +When did this start? + +- Top issues for Start Menu failure are triggered + - After an update + - After installation of an application + - After joining a domain or applying a domain policy +- Many of those issues are found to be + - Permission changes on Registry keys or folders + - Start or related component crashes or hangs + - Customization failure + +To narrow this down further, it's good to note: + +- What is the install background? + - Was this a deployment, install from media, other + - Using customizations? + - DISM + - Group Policy or MDM + - copyprofile + - Sysprep + - Other + +- Domain-joined + - Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance. + - Some Group Policies intended for Windows 7 or older have been known to cause issues with Start + - Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures. + +- Is this a virtualized environment? + - VMware + - Citrix + - Other + +## Check Event logs that record Start Issues: + +- System Event log +- Application Event log +- Microsoft/Windows/Shell-Core* +- Microsoft/Windows/Apps/ +- Microsoft-Windows-TWinUI* +- Microsoft/Windows/AppReadiness* +- Microsoft/Windows/AppXDeployment* +- Microsoft-Windows-PushNotification-Platform/Operational +- Microsoft-Windows-CoreApplication/Operational +- Microsoft-Windows-ShellCommon-StartLayoutPopulation* +- Microsoft-Windows-CloudStore* + + +- Check for crashes that may be related to Start (explorer.exe, taskbar, etc) + - Application log event 1000, 1001 + - Check WER reports + - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\ + - C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\ + +If there is a component of Start that is consistently crashing, capture a dump which can be reviewed by Microsoft Support. + +## Common errors and mitigation + +The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them. + +### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016 + +**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service is not started. + +**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC. + +If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key are not disabled or deleted. If either are missing, restore from backup or the installation media. + +To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following: + +>SERVICE_NAME: pdc +>TYPE : 1 KERNEL_DRIVER +>STATE : 4 RUNNING +> (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) +>WIN32_EXIT_CODE : 0 (0x0) +>SERVICE_EXIT_CODE : 0 (0x0) +>CHECKPOINT : 0x0 +>WAIT_HINT : 0x0 + +The PDC service uses pdc.sys located in the %WinDir%\system32\drivers. + +The PDC registry key is: +`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc` +**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101" +**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100" +**ErrorControl**=dword:00000003 +**Group**="Boot Bus Extender" +**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\ + 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\ + 00,73,00,00,00 +**Start**=dword:00000000 +**Type**=dword:00000001 + +In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC does not load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu. +Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC should not be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu. + +>[!NOTE] +>You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p). + + +### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work + +**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply. + +**Resolution**: This issue was resolved in the June 2017 updates. Please update Windows 10, version 1607 to the latest cumulative or feature updates. + +>[!Note] +>When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**. + + +### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start Menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted + +![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png) + +**Cause**: This is a known issue where the first-time logon experience is not detected and does not trigger the install of some Apps. + +**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334) + +### Symptom: When attempting to customize Start Menu layout, the customizations do not apply or results are not expected + +**Cause**: There are two main reasons for this issue: + +- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format. + - To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log. + - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. + - When editing the xml file, it should be saved in UTF-8 format. + +- Unexpected information: This occurs when possibly trying to add a tile via unexpected or undocumented method. + - **Event ID: 64** is logged when the xml is valid but has unexpected values. + - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema. + +XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy + +### Symptom: Start menu no longer works after a PC is refreshed using F12 during start up + +**Description**: If a user is having problems with a PC, is can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at start up. Refreshing the PC finishes, but Start Menu is not accessible. + +**Cause**: This is a known issue and has been resolved in a cumulative update released August 30th 2018. + +**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142). + +### Symptom: The All Apps list is missing from Start menu + +**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled. + +**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy. + +### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout + +**Description**: There are two different Start Menu issues in Windows 10: +- Administrator configured tiles in the start layout fail to roam. +- User-initiated changes to the start layout are not roamed. + +Specifically, behaviors include + - Applications (apps or icons) pinned to the start menu are missing. + - Entire tile window disappears. + - The start button fails to respond. + - If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing. + + +![Example of a working layout](images/start-ts-3.png) + +*Working layout on first sign-in of a new roaming user profile* + +![Example of a failing layout](images/start-ts-4.png) + +*Failing layout on subsequent sign-ins* + + +**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower. + +**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429). + + +### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703 + +**Description**: + +Before the upgrade: + + ![Example of Start screen with customizations applied](images/start-ts-5.jpg) + +After the upgrade the user pinned tiles are missing: + + ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png) + +Additionally, users may see blank tiles if logon was attempted without network connectivity. + + ![Example of blank tiles](images/start-ts-7.png) + + +**Resolution**: This is fixed in [October 2017 update](https://support.microsoft.com/en-us/help/4041676). + +### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown + +**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on. + +### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep + +**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml. + +### Symptom: Start Menu issues with Tile Data Layer corruption + +**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. + +**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed. + +1. The App or Apps work fine when you click on the tiles. +2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information. +3. The app is missing, but listed as installed via Powershell and works if you launch via URI. + - Example: `windows-feedback://` +4. In some cases, Start can be blank, and Action Center and Cortana do not launch. + +>[!Note] +>Corruption recovery removes any manual pins from Start. Apps should still be visible, but you’ll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didn’t work. + +- Open a command prompt, and run the following command: + +``` +C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache +``` + +Although a reboot is not required, it may help clear up any residual issues after the command is run. + + + + + + + + + + + + diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 6dc0b4da16..e95d1cc298 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -8,7 +8,7 @@ ms.sitesec: library author: jdeckerms ms.author: jdecker ms.topic: article -ms.date: 09/17/2018 +ms.date: 10/02/2018 ms.localizationpriority: medium --- @@ -73,6 +73,7 @@ The following table lists the supported elements and attributes for the LayoutMo | [RequiredStartGroups](#requiredstartgroups)

      Parent:
      RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout | | [AppendGroup](#appendgroup)

      Parent:
      RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout | | [start:Tile](#specify-start-tiles)

      Parent:
      AppendGroup | AppUserModelID
      Size
      Row
      Column | Use to specify any of the following:
      - A Universal Windows app
      - A Windows 8 or Windows 8.1 app

      Note that AppUserModelID is case-sensitive. | +start:Folder

      Parent:
      start:Group | Name (in Windows 10, version 1809 and later only)
      Size
      Row
      Column
      LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile). | start:DesktopApplicationTile

      Parent:
      AppendGroup | DesktopApplicationID
      DesktopApplicationLinkPath
      Size
      Row
      Column | Use to specify any of the following:
      - A Windows desktop application with a known AppUserModelID
      - An application in a known folder with a link in a legacy Start Menu folder
      - A Windows desktop application link in a legacy Start Menu folder
      - A Web link tile with an associated .url file that is in a legacy Start Menu folder | | start:SecondaryTile

      Parent:
      AppendGroup | AppUserModelID
      TileID
      Arguments
      DisplayName
      Square150x150LogoUri
      ShowNameOnSquare150x150Logo
      ShowNameOnWide310x150Logo
      Wide310x150LogoUri
      BackgroundColor
      ForegroundText
      IsSuggestedApp
      Size
      Row
      Column | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. | | TopMFUApps

      Parent:
      LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.

      **Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. | diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md deleted file mode 100644 index 083777bcdd..0000000000 --- a/windows/configuration/start-taskbar-lockscreen.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10) -description: -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: jdeckerms -ms.author: jdecker -ms.topic: article -ms.date: 07/27/2017 ---- - -# Configure Start layout, taskbar, and lock screen for Windows 10 PCs - - - -## In this section - -| Topic | Description | -| --- | --- | -| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.

      **Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. | -| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. | -| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. | - - -## Related topics - -- [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) \ No newline at end of file diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md index 27bc5fc49f..eb3d236c32 100644 --- a/windows/configuration/stop-employees-from-using-microsoft-store.md +++ b/windows/configuration/stop-employees-from-using-microsoft-store.md @@ -25,6 +25,9 @@ ms.date: 4/16/2018 IT pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. +> [!Important] +> All executable code including Microsoft Store applications should have an update and maintenance plan. Organizations that use Microsoft Store applications should ensure that the applications can be updated through the Microsoft Store over the internet, through the [Private Store](/microsoft-store/distribute-apps-from-your-private-store), or [distributed offline](/microsoft-store/distribute-offline-apps) to keep the applications up to date. + ## Options to configure access to Microsoft Store @@ -80,8 +83,7 @@ You can also use Group Policy to manage access to Microsoft Store. 4. On the **Turn off Store application** setting page, click **Enabled**, and then click **OK**. > [!Important] -> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. - +> Enabling **Turn off Store application** policy turns off app updates from Microsoft Store. ## Block Microsoft Store using management tool diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md index 7ac31a3a1f..d6ca23c105 100644 --- a/windows/configuration/ue-v/uev-for-windows.md +++ b/windows/configuration/ue-v/uev-for-windows.md @@ -96,4 +96,4 @@ You can also [customize UE-V to synchronize settings](uev-deploy-uev-for-custom- ## Have a suggestion for UE-V? -Add or vote on suggestions on the [User Experience Virtualization feedback site](http://uev.uservoice.com/forums/280428-microsoft-user-experience-virtualization).
      For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). +For UE-V issues, use the [UE-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-us/home?forum=mdopuev&filter=alltypes&sort=lastpostdesc). diff --git a/windows/configuration/ue-v/uev-getting-started.md b/windows/configuration/ue-v/uev-getting-started.md index 301f4a7b07..de3fecb42b 100644 --- a/windows/configuration/ue-v/uev-getting-started.md +++ b/windows/configuration/ue-v/uev-getting-started.md @@ -47,7 +47,7 @@ You’ll need to deploy a settings storage location, a standard network share wh **Create a network share** -1. Create a new security group and add UE-V users to it. +1. Create a new security group and add UE-V users to the group. 2. Create a new folder on the centrally located computer that stores the UE-V settings packages, and then grant the UE-V users access with group permissions to the folder. The administrator who supports UE-V must have permissions to this shared folder. @@ -80,7 +80,7 @@ For evaluation purposes, enable the service on at least two devices that belong The UE-V service is the client-side component that captures user-personalized application and Windows settings and saves them in settings packages. Settings packages are built, locally stored, and copied to the settings storage location. Before enabling the UE-V service, you'll need to register the UE-V templates for first use. In a PowerShell window, type `Register-UevTemplate [TemplateName]` where **TemplateName** is the name of the UE-V template you want to register, and press ENTER. For instance, to register all built-in UE-V templates, use the following PowerShell Command: -'Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}' +`Get-childItem c:\programdata\Microsoft\UEV\InboxTemplates\*.xml|% {Register-UevTemplate $_.Fullname}` A storage path must be configured on the client-side to tell where the personalized settings are stored. diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 8a119cf39e..f91ada9764 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -35,10 +35,10 @@ When replacing a user’s device, UE-V automatically restores settings if the us You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell: ``` syntax -Restore-UevBackup -Machine +Restore-UevBackup -ComputerName ``` -where <MachineName> is the computer name of the device. +where <ComputerName> is the computer name of the device. Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile. diff --git a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md index 585fe8822f..eea5619b50 100644 --- a/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md +++ b/windows/configuration/ue-v/uev-synchronizing-microsoft-office-with-uev.md @@ -84,7 +84,7 @@ Review the following tables for details about Office support in UE-V:

      Microsoft PowerPoint 2016

      Microsoft Project 2016

      Microsoft Publisher 2016

      -

      Microsoft SharePoint Designer 2013 (not udpated for 2016)

      +

      Microsoft SharePoint Designer 2013 (not updated for 2016)

      Microsoft Visio 2016

      Microsoft Word 2016

      Microsoft Office Upload Manager

      diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md deleted file mode 100644 index 058450c727..0000000000 --- a/windows/configuration/wcd/wcd-applicationmanagement.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: ApplicationManagement (Windows 10) -description: This section describes the ApplicationManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: jdeckerMS -ms.localizationpriority: medium -ms.author: jdecker -ms.topic: article -ms.date: 09/12/2017 ---- - -# ApplicationManagement (Windows Configuration Designer reference) - -Use these settings to manage app installation and management. - ->[!NOTE] ->ApplicationManagement settings are not available in Windows 10, version 1709, and later. - -## Applies to - -| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAllTrustedApps](#allowalltrustedapps) | | | | | X | -| [AllowAppStoreAutoUpdate](#allowappstoreautoupdate) | | | | | X | -| [RestrictAppDataToSystemVolume](#restrictappdatatosystemvolume) | | | | | X | -| [RestrictAppToSystemVolume](#restrictapptosystemvolume) | | | | | X | - -## AllowAllTrustedApps - -Specifies whether non-Microsoft Store apps are allowed. - -| Value | Description | -| --- | --- | -| No | Only Microsoft Store apps are allowed | -| Yes | Non-Microsoft Store apps are allowed | - -## AllowAppStoreAutoUpdate - -Specifies whether automatic update of apps from Microsoft Store are allowed - -| Value | Description | -| --- | --- | -| Disallowed | Automatic update of apps is not allowed | -| Allowed | Automatic update of apps is allowed | - - -## RestrictAppDataToSystemVolume - -Specifies whether application data is restricted to the system drive. - -| Value | Description | -| --- | --- | -| 0 | Not restricted | -| 1 | Restricted | - - -## RestrictAppToSystemVolume - -Specifies whether the installation of applications is restricted to the system drive. - -| Value | Description | -| --- | --- | -| 0 | Not restricted | -| 1 | Restricted | - -## Related topics - -- [Policy configuration service provider (CSP): ApplicationManagement/AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) -- [Policy CSP: ApplicationManagement/AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) -- [Policy CSP: ApplicationManagement/RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) -- [Policy CSP: ApplicationManagement/RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md index ae8d42c8ee..ff12b64898 100644 --- a/windows/configuration/wcd/wcd-assignedaccess.md +++ b/windows/configuration/wcd/wcd-assignedaccess.md @@ -30,7 +30,7 @@ Enter the account and the application you want to use for Assigned access, using **Example**: ``` -"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" +{"Account":"domain\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} ``` ## MultiAppAssignedAccessSettings diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 3ed958488d..c7cd5a030f 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # Browser (Windows Configuration Designer reference) @@ -19,10 +19,32 @@ Use to configure browser settings that should only be set by OEMs who are part o | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | +| [AllowPrelaunch](#allowprelaunch) | | | X | | | +| [FavoriteBarItems](#favoritebaritems) | X | | | | | | [Favorites](#favorites) | | X | | | | | [PartnerSearchCode](#partnersearchcode) | X | X | X | | | | [SearchProviders](#searchproviders) | | X | | | | + +## AllowPrelaunch + +Use this setting to allow Microsoft Edge to pre-launch during Windows sign-in, when the system is idle, and each time that Microsoft Edge is closed. Pre-launch minimizes the amount of time required to start Microsoft Edge. + +Select between **Prevent Pre-launching** and **Allow Pre-launching**. + +## FavoriteBarItems + +Use to add items to the Favorites Bar in Microsoft Edge. + +1. Enter a name for the item, and select **Add**. (The name you enter here is only used to distinguish the group of settings, and is not shown on the device when the settings are applied.) +2. In **Available customizations**, select the item that you added, and then configure the following settings for that item: + +Setting | Description +--- | --- +ItemFavIconFile | Enter the path to the icon file, local to the device where the browser will run. The icon file must be added to the device to the specified path. +ItemName | Enter the name for the item, which will be displayed on the Favorites Bar. +ItemUrl | Enter the target URL for the item. + ## Favorites Use to configure the default list of Favorites that show up in the browser. diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md index dd7a6057aa..cde8d098c0 100644 --- a/windows/configuration/wcd/wcd-calling.md +++ b/windows/configuration/wcd/wcd-calling.md @@ -86,7 +86,7 @@ ResetCallForwarding | When set to **True**, user is provided with an option to r ShowCallerIdNetworkDefaultSetting | Indicates whether the network default setting can be allowed for outgoing caller ID. ShowVideoCallingSwitch | Use to specify whether to show the video capability sharing switch on the mobile device's Settings screen. ShowVideoCapabilitySwitch | Configure the phone settings to show the video capability sharing switch. -SupressVideoCallingChargesDialog | Configure the phone settings CPL to supress the video calling charges dialog. +SupressVideoCallingChargesDialog | Configure the phone settings CPL to suppress the video calling charges dialog. UssdExclusionList | List used to exclude predefined USSD entries, allowing the number to be sent as standard DTMF tones instead. Set UssdExclusionList to the list of desired exclusions, separated by semicolons. For example, setting the value to 66;330 will override 66 and 330. Leading zeros are specified by using F. For example, to override code 079, set the value to F79. If you set UssdExclusionList, you must set IgnoreUssdExclusions as well. Otherwise, the list will be ignored. See [List of USSD codes](#list-of-ussd-codes) for values. WiFiCallingOperatorName | Enter the operator name to be shown when the phone is using WiFi calling. If you don't set a value for WiFiCallingOperatorName, the device will always display **SIMServiceProviderName Wi-Fi**, where *SIMServiceProviderName* is a string that corresponds to the SPN for the SIM on the device. If the service provider name in the SIM is not set, only **Wi-Fi** will be displayed. diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md index 66fd0b6bc1..b7b52b37af 100644 --- a/windows/configuration/wcd/wcd-cellcore.md +++ b/windows/configuration/wcd/wcd-cellcore.md @@ -8,11 +8,13 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # CellCore (Windows Configuration Designer reference) +>Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore is not available in Windows 10, version 1809. + Use to configure settings for cellular data. >[!IMPORTANT] diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md index 290e3f52cb..f6c9545c4a 100644 --- a/windows/configuration/wcd/wcd-cellular.md +++ b/windows/configuration/wcd/wcd-cellular.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/21/2017 +ms.date: 10/02/2018 --- # Cellular (Windows Configuration Designer reference) @@ -24,39 +24,54 @@ Use to configure settings for cellular connections. | --- | :---: | :---: | :---: | :---: | :---: | | All settings | X | | | | | +## PerDevice +See [SignalBarMappingTable](#signalbarmappingtable) + +## PerSimSettings To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it. -## AccountExperienceURL +### AccountExperienceURL Enter the URL for the mobile operator's web page. -## AppID +### AppID Enter the AppID for the mobile operator's app in Microsoft Store. -## BrandingIcon +### BrandingIcon Browse to and select an .ico file. -## BrandingIconPath +### BrandingIconPath Enter the destination path for the BrandingIcon .ico file. -## BrandingName +### BrandingName Enter the service provider name for the mobile operator. -## NetworkBlockList - -Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). - -## SIMBlockList +### NetworkBlockList Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). -## UseBrandingNameOnRoaming +### SignalBarMappingTable + +>[!NOTE] +>SignalBarMappingTable can be configured per device or per sim. + +Use the **SignalBarMappingTable** settings to customize the number of bars displayed based on signal strength. Set a signal strength minimum for each bar number. + +1. Expand **SignalBarMappingTable**, select a bar number in **SignalForBars**, and select **Add**. +2. Select the signal bar number in **Available customizations**, and enter a minimum signal strength value, between 0 and 31. + +### SIMBlockList + +Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC). + + +### UseBrandingNameOnRoaming Select an option for displaying the BrandingName when the device is roaming. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md new file mode 100644 index 0000000000..b51c2ab60e --- /dev/null +++ b/windows/configuration/wcd/wcd-changes.md @@ -0,0 +1,83 @@ +--- +title: Changes to settings in Windows Configuration Designer (Windows 10) +description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 10/02/2018 +--- + +# Changes to settings in Windows Configuration Designer + +Settings added in Windows 10, version 1809 + + +- [Browser > AllowPrelaunch](wcd-browser.md#allowprelaunch) +- [Browser > FavoriteBarItems](wcd-browser.md#favoritebaritems) +- [Cellular > SignalBarMappingTable](wcd-cellular.md#signalbarmappingtable) +- [KioskBrowser](wcd-kioskbrowser.md) +- [Location](wcd-location.md) +- [Policies > ApplicationManagement > LaunchAppAfterLogOn](wcd-policies.md#applicationmanagement) +- [Policies > Authentication:](wcd-policies.md#authentication) + - EnableFastFirstSignin + - EnableWebSignin + - PreferredAadTenantDomainName +- [Policies > Browser:](wcd-policies.md#browser) + - AllowFullScreenMode + - AllowPrelaunch + - AllowPrinting + - AllowSavingHistory + - AllowSideloadingOfExtensions + - AllowTabPreloading + - AllowWebContentOnNewTabPage + - ConfigureFavoritesBar + - ConfigureHomeButton + - ConfigureKioskMode + - ConfigureKioskResetAfterIdleTimer + - ConfigureOpenMicrosoftEdgeWith + - ConfigureTelemetryForMicrosoft365 + - FirstRunURL + - PreventCertErrorOverrides + - PreventTurningOffRequiredExtensions + - SetHomeButtonURL + - SetNewTabPageURL + - UnlockHomeButton +- [Policies > DeliveryOptimization:](wcd-policies.md#deliveryoptimization) + - DODelayBackgroundDownloadFromHttp + - DODelayForegroundDownloadFromHttp + - DOGroupIdSource + - DOPercentageMaxBackDownloadBandwidth + - DOPercentageMaxForeDownloadBandwidth + - DORestrictPeerSelectionsBy + - DOSetHoursToLimitBackgroundDownloadBandwidth + - DOSetHoursToLimitForegroundDownloadBandwidth +- [Policies > KioskBrowser](wcd-policies.md#kioskbrowser) > EnableEndSessionButton +- [Policies > Search](wcd-policies.md#search) > DoNotUseWebResults +- [Policies > System:](wcd-policies.md#system) + - DisableDeviceDelete + - DisableDiagnosticDataViewer +- [Policies > Update:](wcd-policies.md#update) + - AutoRestartDeadlinePeriodInDaysForFeatureUpdates + - EngagedRestartDeadlineForFeatureUpdates + - EngagedRestartSnoozeScheduleForFeatureUpdates + - EngagedRestartTransitionScheduleForFeatureUpdates + - ExcludeWUDriversInQualityUpdate + - SetDisablePauseUXAccess + - SetDisableUXWUAccess + - UpdateNotificationLevel +- [UnifiedWriteFilter > OverlayFlags](wcd-unifiedwritefilter.md#overlayflags) +- [UnifiedWriteFilter > ResetPersistentState](wcd-unifiedwritefilter.md#resetpersistentstate) +- [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md) + + +Settings removed in Windows 10, version 1809 + +- [CellCore](wcd-cellcore.md) +- [Policies > Browser:](wcd-policies.md#browser) + - AllowBrowser + - PreventTabReloading + diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md index b797544274..38bdf81ca7 100644 --- a/windows/configuration/wcd/wcd-connectivityprofiles.md +++ b/windows/configuration/wcd/wcd-connectivityprofiles.md @@ -19,12 +19,12 @@ Use to configure profiles that a user will connect with, such as an email accoun | Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| [Email](#email) | X | X | X | | X | -| [Exchange](#exchange) | X | X | X | | X | -| [KnownAccounts](#knownaccounts) | X | X | X | | X | -| [VPN](#vpn) | X | X | X | X | X | -| [WiFiSense](#wifisense) | X | X | X | | X | -| [WLAN](#wlan) | X | X | X | X | X | +| [Email](#email) | X | X | X | | | +| [Exchange](#exchange) | X | X | X | | | +| [KnownAccounts](#knownaccounts) | X | X | X | | | +| [VPN](#vpn) | X | X | X | X | | +| [WiFiSense](#wifisense) | X | X | X | | | +| [WLAN](#wlan) | X | X | X | X | | ## Email diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md index 70a65ed02e..b245647edf 100644 --- a/windows/configuration/wcd/wcd-devicemanagement.md +++ b/windows/configuration/wcd/wcd-devicemanagement.md @@ -50,7 +50,7 @@ Use to configure device management settings. | ProtocolVersion | Select between **1.1** and **1.2** for the OMA DM protocol version that the server supports | | **Role** | Select between **Enterprise** and **Mobile Operator** for the role mask that the DM session runs with when it communicates with the server | | **ServerID** | Enter the OMA DM server's unique identifier for the current OMA DM account | -| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certficate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | +| SSLClientCertSearchCriteria | Specify the client certificate search criteria, by subject attribute and certificate stores. For details, see [DMAcc configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dmacc-csp). | | UseHardwareDeviceID | Specify whether to use the hardware ID for the ./DevInfo/DevID parameter in the DM account to identify the device | | UseNonceResync | Specify whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication | @@ -90,4 +90,4 @@ In **PROVURL**, enter the URL for a Trusted Provisioning Server (TPS). ## Related topics - [DMAcc configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/dmacc-csp) -- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) \ No newline at end of file +- [PXLOGICAL CSP](https://docs.microsoft.com/windows/client-management/mdm/pxlogical-csp) diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md index d3dbe83cdf..e2bdada785 100644 --- a/windows/configuration/wcd/wcd-hotspot.md +++ b/windows/configuration/wcd/wcd-hotspot.md @@ -8,121 +8,10 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 12/18/2018 --- # HotSpot (Windows Configuration Designer reference) -Use HotSpot settings to configure Internet sharing. - -## Applies to - -| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | -| --- | :---: | :---: | :---: | :---: | :---: | -| All settings | | X | | | | - ->[!NOTE] ->Although the HotSpot settings are available in advanced editing for multiple editions, the settings are only supported on devices running Windows 10 Mobile. - -## DedicatedConnections - -(Optional) Set DedicatedConnections to a semicolon-separated list of connections. - -Specifies the list of Connection Manager cellular connections that Internet sharing will use as public connections. - -By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections. - -Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. - -The mapping policy will also include the connection specified in the TetheringNAIConnection value as well. - - If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share. - - - -## Enabled - -Specify **True** to enable Internet sharing on the device or **False** to disable Internet sharing. - -If Enabled is initially set to **True**, the feature is turned off and the internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible. - -When Enabled is set to **False**, the internet sharing screen is added to Settings, although sharing is turned off by default until the user turns it on. - -## EntitlementDll - -Enter the path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operator's network. - -## EntitlementInterval - -Enter the time interval, in seconds, between entitlement checks. - -## EntitlementRequired - -Specify whether the device requires an entitlement check to determine if Internet sharing should be enabled. - -## MaxBluetoothUsers - -(Optional) Specify the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. Set MaxBluetoothUsers to an integer value between 1 and 7 inclusive. The default value is 7. - - -## MaxUsers - -(Optional) Specify the maximum number of simultaneous users that can be connected to a device while sharing. Set MaxUsers to an integer value between 1 and 8 inclusive. The default value is 5. - - -## MOAppLink - -(Optional) Enter an application link that points to a pre-installed application, provided by the mobile operator. that will help a user to subscribe to the mobile operator's Internet sharing service when Internet sharing is not provisioned or entitlement fails. - -Set MOAppLink to a valid app ID. The general format for the link is *app://MOappGUID*. For example, if your app ID is `12345678-9012-3456-7890-123456789012`, you must set the value to `app://12345678-9012-3456-7890-123456789012`. - - -## MOHelpMessage - -(Optional) Enter a reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form: - -``` -@,- -``` - -Where `` is the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx). - -## MOHelpNumber - -(Optional) Enter a mobile operator–specified phone number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help. - - - -## MOInfoLink - -(Optional) Enter a mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature. - -## PeerlessTimeout - -(Optional) Enter the time-out period, in minutes, after which Internet sharing should automatically turn off if there are no active clients. - -Set PeerlessTimeout to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes. - -## PublicConnectionTimeout - -(Optional) Enter the time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. - -Set PublicConnectionTimeout to any value between 1 and 60 inclusive. The default value is 20 minutes. A value of 0 is not supported. - - -## TetheringNAIConnection - -(Optional) Specify the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. Set TetheringNAIConnection to the CDMA TetheringNAI Connection Manager cellular connection. - -If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must configure a TetheringNAI connection and then specify the connection in this node. - -Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.The mapping policy will also include the connection specified in the TetheringNAIConnection value as well. - -If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share. - ->[!NOTE] ->CDMA phones are limited to one active data connection at a time. This means any application or service (such as e-mail or MMS) that is bound to another connection may not work while Internet sharing is turned on. - - - +Do not use. Enterprise admins who want to configure settings for mobile hotspots should use [Policies > Wifi](#wcd-policies.md#wifi). Mobile operators should use the [Country and Operator Settings Asset (COSA) format](https://docs.microsoft.com/windows-hardware/drivers/mobilebroadband/cosa-overview). diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md new file mode 100644 index 0000000000..29f19e45e4 --- /dev/null +++ b/windows/configuration/wcd/wcd-kioskbrowser.md @@ -0,0 +1,44 @@ +--- +title: KioskBrowser (Windows 10) +description: This section describes the KioskBrowser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 10/02/2018 +--- + +# KioskBrowser (Windows Configuration Designer reference) + +Use KioskBrowser settings to configure Internet sharing. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| All settings | | | | | X | + +>[!NOTE] +>To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser). + +Kiosk Browser settings | Use this setting to +--- | --- +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

      For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

      If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. +Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. +Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL. +Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser. +Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction. + +>[!IMPORTANT] +>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer: +> +> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. +>2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). +>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). +>4. Save the XML file. +>5. Open the project again in Windows Configuration Designer. +>6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md new file mode 100644 index 0000000000..f54b9343b1 --- /dev/null +++ b/windows/configuration/wcd/wcd-location.md @@ -0,0 +1,26 @@ +--- +title: Location (Windows 10) +description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: jdeckerMS +ms.localizationpriority: medium +ms.author: jdecker +ms.topic: article +ms.date: 10/02/2018 +--- + +# Location (Windows Configuration Designer reference) + +Use Location settings to configure location services. + +## Applies to + +| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | +| --- | :---: | :---: | :---: | :---: | :---: | +| [EnableLocation](#enablelocation) | | | | | X | + +## EnableLocation + +Use this setting to enable or disable location services for the device. diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md index e533cd7b14..5da3446971 100644 --- a/windows/configuration/wcd/wcd-policies.md +++ b/windows/configuration/wcd/wcd-policies.md @@ -8,35 +8,35 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 08/03/2018 +ms.date: 10/02/2018 --- # Policies (Windows Configuration Designer reference) -This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider). +This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider). ## AboveLock | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowActionCenterNotifications](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | | -| [AllowToasts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | | +| [AllowActionCenterNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | | +| [AllowToasts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | | ## Accounts | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | | -| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | | -| [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | | -| [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | | +| [AllowAddingNonMicrosoftAccountManually](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | | +| [AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | | +| [AllowMicrosoftAccountSigninAssistant](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | | +| [DomainNamesForEmailSync](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | | ## ApplicationDefaults | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DefaultAssociationsConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | | +| [DefaultAssociationsConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | | ##ApplicationManagement @@ -44,15 +44,16 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | | -| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | | -| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | -| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | -| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | -| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | | -| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | -| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | | -| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | | +| [AllowAllTrustedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | X | +| [AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | X | +| [AllowDeveloperUnlock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X | +| [AllowGameDVR](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | | +| [AllowSharedUserAppData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | | +| [AllowStore](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | | +| [ApplicationRestrictions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | | +| [LaunchAppAfterLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | X | | | | | +| [RestrictAppDataToSystemVolume](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | X | +| [RestrictAppToSystemVolume](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | X | @@ -61,94 +62,115 @@ This section describes the **Policies** settings that you can configure in [prov | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFastReconnect](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X | +| [AllowFastReconnect](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X | +| [EnableFastFirstSignin](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | X | X | X | | X | +| [EnableWebSignin](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | X | X | X | | X | +| [PreferredAadTenantDomainName](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | X | X | X | | X | ## BitLocker | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EncryptionMethod](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | | +| [EncryptionMethod](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | | ## Bluetooth | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X | -| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X | -| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X | +| [AllowAdvertising](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X | +| [AllowDiscoverableMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X | +| [AllowPrepairing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X | | AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X | -| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X | -| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | | +| [LocalDeviceName](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X | +| [ServicesAllowedList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | X | ## Browser | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | | -| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | X | | -| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | X | | | | | -[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | | | | | -| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | X | | -| [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | | -| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | X | | -| [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | | -| [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | | -| [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | | -| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | X | | -| [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | | -| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | X | | -| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | | -| [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | | | | | -| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | X | | -| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | | -[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | | | | | -| [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | | -| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | | -| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | | -[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | | | | | -| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | | -| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | | -| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | | -| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | | -[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | | | | | -| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | | -| [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | -| [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | | -| [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | | -| [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | | -PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. | X | | | | | -| [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | | -[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | | | | | -| [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | -| [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | | -| [ShowMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | -| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | | -[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | | | | | +| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | | +| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | X | +| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | X | X | | | | +[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | X | | | | +| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | X | +| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | | +| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | X | +| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | | +| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | | +| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | | +| [AllowFullScreenMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | X | X | X | | X | +| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | X | +| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | X | +| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | X | +| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | | +| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | X | | | | | +| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | X | X | X | | X | +| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | X | | | | | +| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | X | X | | X | +| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | X | +| [AllowSideloadingOfExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | X | | | | | +| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | X | +| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | X | | | | | +| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | | X | +[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | X | | | | +| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | | +| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | X | +| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | X | | | | | +| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | X | | | | | +| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | | | | | +| [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | X | | | | | +| [ConfigureOpenMicrosoftEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | X | | | | | +| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | X | | | | | +| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | | +[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | X | | | | +| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | | +| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | | +| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | X | X | | | | +| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | | +[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | X | | | | +| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | X | +| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | | X | +| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | | +| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | X | +| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | X | +| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | X | +PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | | | | | +| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | | +| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X | +[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | X | | | | +| [SendIntranetTraffictoInternetExplorer ](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | | +| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | X | +| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | X | | | | | +| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | X | | | | | +| [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | | +| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | | +| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | X | | | | | +[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | X | | | | ## Camera | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | | +| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | | ## Connectivity | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | | -| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | | -| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | | -| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | | -| [AllowNFC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | | -| [AllowUSBConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | | -| [AllowVPNOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | | -| [AllowVPNRoamingOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | | -| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | | -| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | | +| [AllowBluetooth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | X | +| [AllowCellularData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | X | +| [AllowCellularDataRoaming](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | X | +| [AllowConnectedDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | X | +| [AllowNFC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | X | +| [AllowUSBConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | X | +| [AllowVPNOverCellular](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | X | +| [AllowVPNRoamingOverCellular](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | X | +| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | X | +| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | X | ## CredentialProviders @@ -160,60 +182,68 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowFipsAlgorithmPolicy](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | | -| [TLSCiperSuites](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | | +| [AllowFipsAlgorithmPolicy](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | | +| [TLSCiperSuites](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | | ## Defender | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowArchiveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | | -| [AllowBehaviorMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | | -| [AllowCloudProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | | -| [AllowEmailScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | | -| [AllowFullScanOnMappedNetworkDrives](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | | -| [AllowFullScanRemovableDriveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | | -| [AllowIntrusionPreventionSystem](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | | -| [AllowIOAVProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | | -| [AllowOnAccessProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | | -| [AllowRealtimeMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | | -| [AllowScanningNetworkFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | | -| [AllowScriptScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | | -| [AllowUserUIAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | | -| [AvgCPULoadFactor](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | | -| [DaysToRetainCleanedMalware](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | | -| [ExcludedExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | | -| [ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | | -| [ExcludedProcesses](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | | -| [RealTimeScanDirection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | | -| [ScanParameter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | | -| [ScheduleQuickScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | | -| [ScheduleScanDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | | -| [ScheduleScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | | -| [SignatureUpdateInterval](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | | -| [SubmitSamplesConsent](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | | -| [ThreatSeverityDefaultAction](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | | +| [AllowArchiveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | | +| [AllowBehaviorMonitoring](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | | +| [AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | | +| [AllowEmailScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | | +| [AllowFullScanOnMappedNetworkDrives](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | | +| [AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | | +| [AllowIntrusionPreventionSystem](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | | +| [AllowIOAVProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | | +| [AllowOnAccessProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | | +| [AllowRealtimeMonitoring](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | | +| [AllowScanningNetworkFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | | +| [AllowScriptScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | | +| [AllowUserUIAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | | +| [AvgCPULoadFactor](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | | +| [DaysToRetainCleanedMalware](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | | +| [ExcludedExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | | +| [ExcludedPaths](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | | +| [ExcludedProcesses](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | | +| [RealTimeScanDirection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | | +| [ScanParameter](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | | +| [ScheduleQuickScanTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | | +| [ScheduleScanDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | | +| [ScheduleScanTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | | +| [SignatureUpdateInterval](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | | +| [SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | | +| [ThreatSeverityDefaultAction](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | | ## DeliveryOptimization | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [DOAbsoluteMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | | -| [DOAllowVPNPeerCaching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | | -| [DODownloadMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | | -| [DOGroupId](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | | -| [DOMaxCacheAge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | | -| [DOMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | | -| [DOMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | | -| [DOMaxUploadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | | -| [DOMinBackgroundQos](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | | -| [DOMinBatteryPercentageAllowedToUpload](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | | -| [DOMinDiskSizeAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | | -| [DOMinFileSizeToCache](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | | -| [DOMinRAMAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | | -| [DOModifyCacheDrive](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | | -| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | | -| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOAbsoluteMaxCacheSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | | +| [DOAllowVPNPeerCaching](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | | +| [DODelayBackgroundDownloadFromHttp](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | X | | | | | +| [DODelayForegroundDownloadFromHttp](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | X | | | | | +| [DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | | +| [DOGroupId](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | | +| [DOGroupIdSource](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | X | | | | | +| [DOMaxCacheAge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | | +| [DOMaxCacheSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | | +| [DOMaxDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | | +| [DOMaxUploadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | | +| [DOMinBackgroundQos](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | | +| [DOMinBatteryPercentageAllowedToUpload](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | | +| [DOMinDiskSizeAllowedToPeer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | | +| [DOMinFileSizeToCache](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | | +| [DOMinRAMAllowedToPeer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | | +| [DOModifyCacheDrive](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | | +| [DOMonthlyUploadDataCap](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | | +| [DOPercentageMaxBackDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOPercentageMaxDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOPercentageMaxForeDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DORestrictPeerSelectionBy](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | X | | | | | +| [DOSetHoursToLimitBackgroundDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | +| [DOSetHoursToLimitForegroundDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | | ## DeviceGuard @@ -225,18 +255,18 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | | -| [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | | -| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | | -|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | | -| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | | -| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | | -| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | | -| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | | -| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | | -| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | | -| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | | -| [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | | +| [AllowIdleReturnWithoutPassword](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | | +| [AllowScreenTimeoutWhileLockedUserConfig](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | | +| [AllowSimpleDevicePassword](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | | +|[AlphanumericDevicePasswordRequired](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | | +| [DevicePasswordEnabled](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | | +| [DevicePasswordExpiration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | | +| [DevicePasswordHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | | +| [MaxDevicePasswordFailedAttempts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | | +| [MaxInactivityTimeDeviceLock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | | +| [MinDevicePasswordComplexCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | | +| [MinDevicePasswordLength](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | | +| [ScreenTimeoutWhileLocked](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | | ## DeviceManagement @@ -251,24 +281,24 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | | -| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | | -| [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | | -| [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | | -| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | | -| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | | -| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | | -| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | | -| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | | -| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | | -| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | | -| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | | +| [AllowCopyPaste](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | | +| [AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | | +| [AllowDeviceDiscovery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | | +| [AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | | +| [AllowManualMDMUnenrollment](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | | +| [AllowScreenCapture](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | | +| [AllowSIMErrorDialogPromptWhenNoSIM](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | | +| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | | +| [AllowTailoredExperiencesWithDiagnosticData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | | +| [AllowTaskSwitcher](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | | +| [AllowThirdPartySuggestionsInWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | | +| [AllowVoiceRecording](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | | | [AllowWindowsConsumerFeatures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | | -| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | | -| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | | -| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | | -| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | | -| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | | +| [AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | | +| [AllowWindowsSpotlightOnActionCenter](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | | +| [AllowWindowsSpotlightWindowsWelcomeExperience](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | | +| [AllowWindowsTips](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | | +| [ConfigureWindowsSpotlightOnLockScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | | ## ExploitGuard @@ -281,7 +311,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | | +| [AllowAdvancedGamingServices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | | ## KioskBrowser @@ -293,6 +323,7 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store. [BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | | [BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | | [DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | | +[EnableEndSessionButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | X | | | | | [EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | | [EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | | [RestartOnIdleTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | | @@ -310,15 +341,15 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | | +| [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Do not use. | | | | | | ## Privacy | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | | -| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | | +| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | | +| [AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | | ## Search @@ -327,16 +358,17 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | --- | --- | :---: | :---: | :---: | :---: | :---: | [AllowCloudSearch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | | | | [AllowCortanaInAAD](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | | | | | -| [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | | -| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | | -| [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | | +| [AllowIndexingEncryptedStoresOrItems](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | | +| [AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | | +| [AllowUsingDiacritics](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | | | [AllowWindowsIndexer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.

      - **Off** setting disables Windows indexer
      - **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)
      - **Enterprise** setting reduces potential network loads for enterprises
      - **Standard** setting is appropriate for consuemrs | X | X | | | | -| [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | | -| [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | | -| [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | | -| [PreventIndexingLowDiskSpaceMB](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | | -| [PreventRemoteQueries](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | | -| [SafeSearchPermissions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | | +| [AlwaysUseAutoLangDetection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | | +| [DoNotUseWebResults](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | X | X | | | | +| [DisableBackoff](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | | +| [DisableRemovableDriveIndexing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | | +| [PreventIndexingLowDiskSpaceMB](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | | +| [PreventRemoteQueries](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | | +| [SafeSearchPermissions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | | @@ -344,22 +376,22 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X | -| [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | | -| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X | -| [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | | -| [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X | -| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X | -| [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | | +| [AllowAddProvisioningPackage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X | +| [AllowManualRootCertificateInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | | +| [AllowRemoveProvisioningPackage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X | +| [AntiTheftMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | | +| [RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X | +| [RequireProvisioningPackageSignature](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X | +| [RequireRetrieveHealthCertificateOnBoot](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | | ## Settings | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | | -| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | | -| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | | -| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | | +| [AllowAutoPlay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | | +| [AllowDataSense](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | | +| [AllowVPN](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | | +| [ConfigureTaskbarCalendar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | | [PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | | ## Start @@ -377,40 +409,42 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in | [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | | | [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | | DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | | | | | -| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | | -| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | | -| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | | -| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | | -| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | | -| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | | +| [ForceStartSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | | +| [HideAppList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | | +| [HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | | +| [HideFrequentlyUsedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | | +| [HideHibernate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | | +| [HideLock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | | | HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | | -| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | | -| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | | -| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | | -| [HideRestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | | -| [HideShutDown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | | -| [HideSignOut](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | | -| [HideSleep](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | | -| [HideSwitchAccount](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | | -| [HideUserTile](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | | -| [ImportEdgeAssets](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | | -| [NoPinningToTaskbar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | | -| [StartLayout](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | | +| [HidePowerButton](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | | +| [HideRecentJumplists](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | | +| [HideRecentlyAddedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | | +| [HideRestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | | +| [HideShutDown](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | | +| [HideSignOut](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | | +| [HideSleep](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | | +| [HideSwitchAccount](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | | +| [HideUserTile](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | | +| [ImportEdgeAssets](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | | +| [NoPinningToTaskbar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | | +| [StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | | ## System | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | | -| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X | -| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | | -| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X | -| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X | -| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | | -| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | | +| [AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | | +| [AllowEmbeddedMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X | +| [AllowExperimentation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | | +| [AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X | +| [AllowStorageCard](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X | +| [AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | | +| [AllowUserToResetPhone](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | | ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | | | | ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | | | | -| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | | +| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | X | X | | | | +| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | X | X | | | | +| [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | | | [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | | @@ -418,98 +452,106 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowIMELogging](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | | -| [AllowIMENetworkAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | | -| [AllowInputPanel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | | -| [AllowJapaneseIMESurrogatePairCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | | -| [AllowJapaneseIVSCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | | -| [AllJapaneseNonPublishingStandardGlyph](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | | -| [AllowJapaneseUserDictionary](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | | -| [AllowKeyboardTextSuggestions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | | -| [AllowLanguageFeaturesUninstall](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | | -| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | -| [ExcludeJapaneseIMEExceptISO208](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | -| [ExcludeJapaneseIMEExceptISO208andEUDC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | -| [ExcludeJapaneseIMEExceptShiftJIS](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [AllowIMELogging](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | | +| [AllowIMENetworkAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | | +| [AllowInputPanel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | | +| [AllowJapaneseIMESurrogatePairCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | | +| [AllowJapaneseIVSCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | | +| [AllJapaneseNonPublishingStandardGlyph](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | | +| [AllowJapaneseUserDictionary](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | | +| [AllowKeyboardTextSuggestions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | | +| [AllowLanguageFeaturesUninstall](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | | +| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | | +| [ExcludeJapaneseIMEExceptISO208](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [ExcludeJapaneseIMEExceptISO208andEUDC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | +| [ExcludeJapaneseIMEExceptShiftJIS](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | | ## TimeLanguageSettings | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSet24HourClock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | | +| [AllowSet24HourClock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | | ## Update | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | -| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | -| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | -| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | +| [ActiveHoursEnd](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X | +| [ActiveHoursMaxRange](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X | +| [ActiveHoursStart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X | +| [AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X | | [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X | -| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | -| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | -| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | +| [AllowMUUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X | +| [AllowNonMicrosoftSignedUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X | +| [AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X | | [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | -| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | -| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | -| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | -| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | -| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | +| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X | +| [AutoRestartNotificationSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X | +| [AutoRestartRequiredNotificationDismissal](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X | +| [BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X | +| [DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X | +| [DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X | | [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X | | [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X | -| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | +| [DetectionFrequency](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X | | [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X | -| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | -| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | -| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | -| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | +| [EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X | +| [EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X | +| [EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [EngagedRestartTransitionScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X | +| [ExcludeWUDriversInQualityUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X | +| [FillEmptyContentUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X | | ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X | | PhoneUpdateRestrictions | Deprecated | | X | | | | -| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | -| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | +| [RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X | +| [ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X | | [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X | | [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X | | [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X | -| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | -| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X || -| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | -| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | -| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | -| [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | -| [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | +| [ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X | +| [ScheduleImminentRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X || +| [ScheduleRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X | +| [SetAutoRestartNotificationDisable](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X | +| [SetDisablePauseUXAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X | +| [SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X | +| [SetEDURestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X | +| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X | +| [UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X | +| [UpdateServiceUrlAlternate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X | ## WiFi | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowAutoConnectToWiFiSenseHotspots](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | | -| [AllowInternetSharing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | | -| [AllowManualWiFiConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | | -| [AllowWiFi](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | | -| [WLANScanMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X | +| [AllowAutoConnectToWiFiSenseHotspots](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | | +| [AllowInternetSharing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | | +| [AllowManualWiFiConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | | +| [AllowWiFi](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | | +| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X | ## WindowsInkWorkspace | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowSuggestedAppsInWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | | -| [AllowWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | | +| [AllowSuggestedAppsInWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | | +| [AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | | ## WindowsLogon | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [HideFastUserSwitching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | | +| [HideFastUserSwitching](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | | ## WirelessDisplay | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | --- | :---: | :---: | :---: | :---: | :---: | -| [AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | \ No newline at end of file +| [AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | | \ No newline at end of file diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md index 8cc91e3ca4..73739a9e70 100644 --- a/windows/configuration/wcd/wcd-sharedpc.md +++ b/windows/configuration/wcd/wcd-sharedpc.md @@ -16,7 +16,6 @@ ms.date: 10/16/2017 Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail. - ## Applies to | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md index 3eb2ee43c6..436c29160d 100644 --- a/windows/configuration/wcd/wcd-tabletmode.md +++ b/windows/configuration/wcd/wcd-tabletmode.md @@ -19,7 +19,7 @@ Use TabletMode to configure settings related to tablet mode. | Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core | | --- | :---: | :---: | :---: | :---: | :---: | -| All settings | X | X | X | | X | +| All settings | X | X | X | | | ## ConvertibleSlateModePromptPreference diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md index 9102c70cbe..7ca1ec138a 100644 --- a/windows/configuration/wcd/wcd-unifiedwritefilter.md +++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 09/06/2017 +ms.date: 10/02/2018 --- # UnifiedWriteFilter (reference) @@ -39,6 +39,13 @@ The overlay does not mirror the entire volume, but dynamically grows to keep tra Set to **True** to enable UWF. +## OverlayFlags + +OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not be redirected to the overlay file. Enabling this setting helps conserve space on the overlay file. + +- Value `0` (default value when [OverlayType](#overlaytype) is not **Disk**): writes are redirected to the overlay file +- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file. + ## OverlaySize Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The minimum value for maximum overlay size is 1024. @@ -58,6 +65,10 @@ Use **Add** to add a registry entry to the exclusion list after you restart the Use **Remove** to remove a registry entry from the exclusion list after you restart the device. +## ResetPersistentState + +Set to **True** to reset UWF settings to the original state that was captured at installation time. + ## Volumes Enter a drive letter for a volume to be protected by UWF. diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md index 0a2c9c16eb..d5455b7f01 100644 --- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md +++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md @@ -8,14 +8,11 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 07/19/2018 +ms.date: 10/02/2018 --- # WindowsHelloForBusiness (Windows Configuration Designer reference) ->[!WARNING] ->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md). diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md index 546e98f694..1064831115 100644 --- a/windows/configuration/wcd/wcd-wlan.md +++ b/windows/configuration/wcd/wcd-wlan.md @@ -8,7 +8,7 @@ author: jdeckerMS ms.localizationpriority: medium ms.author: jdecker ms.topic: article -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # WLAN (reference) diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md index 57c84d177d..c3a9c02907 100644 --- a/windows/configuration/wcd/wcd.md +++ b/windows/configuration/wcd/wcd.md @@ -22,7 +22,6 @@ This section describes the settings that you can configure in [provisioning pack [AccountManagement](wcd-accountmanagement.md) | | | | X | | | [Accounts](wcd-accounts.md) | X | X | X | X | X | | [ADMXIngestion](wcd-admxingestion.md) | X | | | | | -| [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X | | [AssignedAccess](wcd-assignedaccess.md) | X | | | X | | | [AutomaticTime](wcd-automatictime.md) | | X | | | | | [Browser](wcd-browser.md) | X | X | X | X | | @@ -33,7 +32,7 @@ This section describes the settings that you can configure in [provisioning pack | [Certificates](wcd-certificates.md) | X | X | X | X | X | | [CleanPC](wcd-cleanpc.md) | X | | | | | | [Connections](wcd-connections.md) | X | X | X | X | | -| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | X | +| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | | | [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | | | [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | | | [DeveloperSetup](wcd-developersetup.md) | | | | X | | @@ -46,10 +45,12 @@ This section describes the settings that you can configure in [provisioning pack | [FirewallConfiguration](wcd-firewallconfiguration.md) | | | | | X | | [FirstExperience](wcd-firstexperience.md) | | | | X | | | [Folders](wcd-folders.md) |X | X | X | X | | -| [HotSpot](wcd-hotspot.md) | X | X | X | X | X | +| [HotSpot](wcd-hotspot.md) | | | | | | | [InitialSetup](wcd-initialsetup.md) | | X | | | | | [InternetExplorer](wcd-internetexplorer.md) | | X | | | | +| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X | | [Licensing](wcd-licensing.md) | X | | | | | +| [Location](wcd-location.md) | | | | | X | | [Maps](wcd-maps.md) |X | X | X | X | | | [Messaging](wcd-messaging.md) | | X | | | | | [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | | diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index cfce2db48a..e6269ec3dc 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -26,7 +26,7 @@ This topic helps IT administrators learn about built-in accessibility features, |---------------------------|------------| | [Use Narrator to use devices without a screen](https://support.microsoft.com/help/22798/windows-10-narrator-get-started) | Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices.| | [Create accessible apps](https://developer.microsoft.com/windows/accessible-apps) | You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.| -| Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/en-us/help/22806), and [Magnifier](https://support.microsoft.com/en-us/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.| +| Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/help/22806), and [Magnifier](https://support.microsoft.com/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.| | Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers a variety of configuration settings.| | [Cursor and pointer adjustments](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.| | [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle a variety of tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.| diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index d51cb7fd9d..971bd9d558 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -20,7 +20,7 @@ ms.date: 06/19/2018 - Windows 10 -> **Looking for consumer information?** See [Customize the Start menu](https://windows.microsoft.com/windows-10/getstarted-see-whats-on-the-menu) +> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu) Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. @@ -31,7 +31,7 @@ Organizations might want to deploy a customized Start and taskbar configuration > >For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). > ->Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) +>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](https://docs.microsoft.com/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) @@ -116,7 +116,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events: - **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format. -- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk. +- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk. diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index aaf7da1a9a..b4166fbbf4 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -73,7 +73,7 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo - In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + In addition to the specific policy settings for Windows Spotlight, administrators can replace Windows Spotlight with a selected image using the Group Policy setting **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image** (Windows 10 Enterprise and Education). >[!TIP] >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image). diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md index fdb33ba268..00acdc9318 100644 --- a/windows/deployment/TOC.md +++ b/windows/deployment/TOC.md @@ -1,4 +1,4 @@ -# [Deploy and update Windows 10](https://docs.microsoft.com/en-us/windows/deployment) +# [Deploy and update Windows 10](https://docs.microsoft.com/windows/deployment) ## [Deploy Windows 10 with Microsoft 365](deploy-m365.md) ## [What's new in Windows 10 deployment](deploy-whats-new.md) ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) @@ -20,7 +20,8 @@ ## [Deploy Windows 10](deploy.md) ### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) -### [Windows 10 in S mode](windows-10-pro-in-s-mode.md) +### [Windows 10 in S mode](s-mode.md) +#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md) ### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) ### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) ### [Windows 10 volume license media](windows-10-media.md) @@ -214,12 +215,21 @@ ### [Quick guide to Windows as a service](update/waas-quick-start.md) #### [Servicing stack updates](update/servicing-stack-updates.md) ### [Overview of Windows as a service](update/waas-overview.md) +### [Understand how servicing differs in Windows 10](update/waas-servicing-differences.md) ### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md) ### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md) ### [Assign devices to servicing channels for Windows 10 updates](update/waas-servicing-channels-windows-10-updates.md) +### [Get started with Windows Update](update/windows-update-overview.md) +#### [How Windows Update works](update/how-windows-update-works.md) +#### [Windows Update log files](update/windows-update-logs.md) +#### [How to troubleshoot Windows Update](update/windows-update-troubleshooting.md) +#### [Common Windows Update errors](update/windows-update-errors.md) +#### [Windows Update error code reference](update/windows-update-error-reference.md) +#### [Other Windows Update resources](update/windows-update-resources.md) ### [Optimize Windows 10 update delivery](update/waas-optimize-windows-10-updates.md) #### [Configure Delivery Optimization for Windows 10 updates](update/waas-delivery-optimization.md) #### [Configure BranchCache for Windows 10 updates](update/waas-branchcache.md) +#### [Whitepaper: Windows Updates using forward and reverse differentials](update/PSFxWhitepaper.md) ### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md) #### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md) #### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md) @@ -231,6 +241,7 @@ #### [Walkthrough: use Group Policy to configure Windows Update for Business](update/waas-wufb-group-policy.md) #### [Walkthrough: use Intune to configure Windows Update for Business](https://docs.microsoft.com/intune/windows-update-for-business-configure) ### [Deploy Windows 10 updates using Windows Server Update Services](update/waas-manage-updates-wsus.md) +#### [Enable FoD and language pack updates in Windows Update](update/fod-and-lang-packs.md) ### [Deploy Windows 10 updates using System Center Configuration Manager](update/waas-manage-updates-configuration-manager.md) ### [Manage device restarts after updates](update/waas-restart.md) ### [Manage additional Windows Update settings](update/waas-wu-settings.md) @@ -250,6 +261,7 @@ ##### [Step 1: Identify apps](upgrade/upgrade-readiness-identify-apps.md) ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md) ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md) +##### [Step 4: Monitor deployment](upgrade/upgrade-readiness-monitor-deployment.md) ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md) ##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md) ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md) diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md index 08d10e29c7..f2a31049b0 100644 --- a/windows/deployment/change-history-for-deploy-windows-10.md +++ b/windows/deployment/change-history-for-deploy-windows-10.md @@ -10,7 +10,7 @@ ms.date: 11/08/2017 --- # Change history for Deploy Windows 10 -This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/en-us/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). +This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10). ## April 2018 diff --git a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md index c7de8c5957..9c87e4c4c7 100644 --- a/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md +++ b/windows/deployment/configure-a-pxe-server-to-load-windows-pe.md @@ -171,7 +171,7 @@ ramdisksdipath \boot\boot.sdi The following summarizes the PXE client boot process. ->The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](https://technet.microsoft.com/en-us/library/cc732351.aspx). +>The following assumes that you have configured DHCP option 67 (Bootfile Name) to "boot\PXEboot.n12" which enables direct boot to PXE with no user interaction. For more information about DHCP options for network boot, see [Managing Network Boot Programs](https://technet.microsoft.com/library/cc732351.aspx). 1. A client is directed by DHCP options 066 and 067 to download boot\\PXEboot.n12 from the TFTP server. 2. PXEboot.n12 immediately begins a network boot. @@ -186,4 +186,4 @@ See Also #### Concepts -[Windows PE Walkthroughs](https://technet.microsoft.com/en-us/library/cc748899.aspx) \ No newline at end of file +[Windows PE Walkthroughs](https://technet.microsoft.com/library/cc748899.aspx) \ No newline at end of file diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 57d548abf9..c1d98d727b 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -68,12 +68,12 @@ You might ask why you need to synchronize these identities. The answer is so tha For more information about integrating on-premises AD DS domains with Azure AD, see the following resources: -- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/) - [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) ## Preparing for deployment: reviewing requirements -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic. ## Assigning licenses to users @@ -225,7 +225,7 @@ Use the following figures to help you troubleshoot when users experience these c ### Review requirements on devices -Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. +Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. **To determine if a device is Azure Active Directory joined:** diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index ded250b312..f45a135986 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: deploy keywords: deployment, automate, tools, configure, mdt, sccm, M365 ms.localizationpriority: medium -ms.date: 04/23/2018 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -21,7 +21,7 @@ This topic provides a brief overview of Microsoft 365 and describes how to use a [Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS). -For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: +For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including: - Windows Autopilot - In-place upgrade @@ -55,12 +55,8 @@ Examples of these two deployment advisors are shown below. ## Related Topics -[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) -  - -  - - +[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
      +[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 7c7f1d1ff8..e7d62d3cd1 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.prod: w10 ms.sitesec: library ms.pagetype: deploy -ms.date: 09/12/2018 +ms.date: 12/18/2018 author: greg-lindsay --- @@ -16,7 +16,6 @@ author: greg-lindsay **Applies to** - Windows 10 - ## In this topic This topic provides an overview of new solutions and online content related to deploying Windows 10 in your organization. @@ -24,6 +23,19 @@ This topic provides an overview of new solutions and online content related to d - For an all-up overview of new features in Windows 10, see [What's new in Windows 10](https://technet.microsoft.com/itpro/windows/whats-new/index). - For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history). +## Recent additions to this page + +[SetupDiag](#setupdiag) 1.4 is released. + +## The Modern Desktop Deployment Center + +The [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) has launched with tons of content to help you with large-scale deployment of Windows 10 and Office 365 ProPlus. + +## Windows 10 servicing and support + +Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below. + +![Support lifecycle](images/support-cycle.png) ## Windows 10 servicing and support @@ -48,6 +60,12 @@ Windows Autopilot streamlines and automates the process of setting up and config Windows Autopilot joins devices to Azure Active Directory (Azure AD), optionally enrolls into MDM services, configures security policies, and sets a custom out-of-box-experience (OOBE) for the end user. For more information, see [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md). +### SetupDiag + +[SetupDiag](upgrade/setupdiag.md) is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. + +SetupDiag version 1.4 was released on 12/18/2018. + ### Upgrade Readiness The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. @@ -90,7 +108,7 @@ MDT build 8443 is available, including support for: - The Windows ADK for Windows 10, version 1607. - Integration with Configuration Manager version 1606. -For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/en-US/windows/dn475741). +For more information about MDT, see the [MDT resource page](https://technet.microsoft.com/windows/dn475741). ### Windows Assessment and Deployment Kit (ADK) @@ -133,9 +151,7 @@ The following topics provide a change history for Windows 10 ITPro TechNet libra [Overview of Windows as a service](update/waas-overview.md)
      [Windows 10 deployment considerations](planning/windows-10-deployment-considerations.md) -
      [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info.aspx) +
      [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx)
      [Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/en-us/windows/windows-10-specifications)
      [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
      [Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md) - - \ No newline at end of file diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index 2e2da9aa71..fbc54619d1 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -906,7 +906,7 @@ foreach ($disk in $Disks) <# If a domain name was provided to the script, we will create a random computer name - and perform an offline domain join for the device. With this command we also supress the + and perform an offline domain join for the device. With this command we also suppress the Add User OOBE screen. #> if ($DomainName) diff --git a/windows/deployment/deploy.md b/windows/deployment/deploy.md index a38657a7be..ff0a09c58c 100644 --- a/windows/deployment/deploy.md +++ b/windows/deployment/deploy.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: medium -ms.date: 11/02/2017 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -29,6 +29,10 @@ Windows 10 upgrade options are discussed and information is provided about plann |[Windows 10 deployment tools](windows-10-deployment-tools-reference.md) |Learn about available tools to deploy Windows 10, such as the Windows ADK, DISM, USMT, WDS, MDT, Windows PE and more. | |[How to install fonts that are missing after upgrading to Windows 10](windows-10-missing-fonts.md)|Windows 10 introduced changes to the fonts that are included in the image by default. Learn how to install additional fonts from **Optional features** after you install Windows 10 or upgrade from a previous version.| +## Related topics + +[Modern Destop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) +     diff --git a/windows/deployment/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/images/CreateSolution-Part1-Marketplace.png new file mode 100644 index 0000000000..25793516c2 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part1-Marketplace.png differ diff --git a/windows/deployment/images/CreateSolution-Part2-Create.png b/windows/deployment/images/CreateSolution-Part2-Create.png new file mode 100644 index 0000000000..ec63f20402 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part2-Create.png differ diff --git a/windows/deployment/images/CreateSolution-Part3-Workspace.png b/windows/deployment/images/CreateSolution-Part3-Workspace.png new file mode 100644 index 0000000000..1d74aa39d0 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part3-Workspace.png differ diff --git a/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png new file mode 100644 index 0000000000..7a3129f467 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png differ diff --git a/windows/deployment/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/images/CreateSolution-Part5-GoToResource.png new file mode 100644 index 0000000000..c3cb382097 Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part5-GoToResource.png differ diff --git a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG differ diff --git a/windows/deployment/images/UC_00_marketplace_search.PNG b/windows/deployment/images/UC_00_marketplace_search.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/images/UC_00_marketplace_search.PNG differ diff --git a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG differ diff --git a/windows/deployment/images/UC_01_marketplace_create.PNG b/windows/deployment/images/UC_01_marketplace_create.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/images/UC_01_marketplace_create.PNG differ diff --git a/windows/deployment/images/UC_02_workspace_create - Copy.PNG b/windows/deployment/images/UC_02_workspace_create - Copy.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/images/UC_02_workspace_create - Copy.PNG differ diff --git a/windows/deployment/images/UC_02_workspace_create.PNG b/windows/deployment/images/UC_02_workspace_create.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/images/UC_02_workspace_create.PNG differ diff --git a/windows/deployment/images/UC_03_workspace_select - Copy.PNG b/windows/deployment/images/UC_03_workspace_select - Copy.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/images/UC_03_workspace_select - Copy.PNG differ diff --git a/windows/deployment/images/UC_03_workspace_select.PNG b/windows/deployment/images/UC_03_workspace_select.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/images/UC_03_workspace_select.PNG differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG differ diff --git a/windows/deployment/images/UC_tile_assessing - Copy.PNG b/windows/deployment/images/UC_tile_assessing - Copy.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/images/UC_tile_assessing - Copy.PNG differ diff --git a/windows/deployment/images/UC_tile_assessing.PNG b/windows/deployment/images/UC_tile_assessing.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/images/UC_tile_assessing.PNG differ diff --git a/windows/deployment/images/UC_tile_filled - Copy.PNG b/windows/deployment/images/UC_tile_filled - Copy.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/images/UC_tile_filled - Copy.PNG differ diff --git a/windows/deployment/images/UC_tile_filled.PNG b/windows/deployment/images/UC_tile_filled.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/images/UC_tile_filled.PNG differ diff --git a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_DO_status.PNG b/windows/deployment/images/UC_workspace_DO_status.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_DO_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_FU_status.PNG b/windows/deployment/images/UC_workspace_FU_status.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/images/UC_workspace_FU_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_SU_status.PNG b/windows/deployment/images/UC_workspace_SU_status.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/images/UC_workspace_SU_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status.PNG b/windows/deployment/images/UC_workspace_WDAV_status.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/images/UC_workspace_WDAV_status.PNG differ diff --git a/windows/deployment/images/UC_workspace_home.PNG b/windows/deployment/images/UC_workspace_home.PNG new file mode 100644 index 0000000000..4269eb8c4d Binary files /dev/null and b/windows/deployment/images/UC_workspace_home.PNG differ diff --git a/windows/deployment/images/UC_workspace_needs_attention - Copy.png b/windows/deployment/images/UC_workspace_needs_attention - Copy.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/images/UC_workspace_needs_attention - Copy.png differ diff --git a/windows/deployment/images/UC_workspace_needs_attention.png b/windows/deployment/images/UC_workspace_needs_attention.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/images/UC_workspace_needs_attention.png differ diff --git a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG differ diff --git a/windows/deployment/images/UC_workspace_overview_blade.PNG b/windows/deployment/images/UC_workspace_overview_blade.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/images/UC_workspace_overview_blade.PNG differ diff --git a/windows/deployment/images/UR-Azureportal1.PNG b/windows/deployment/images/UR-Azureportal1.PNG new file mode 100644 index 0000000000..2a3f8f1b73 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal1.PNG differ diff --git a/windows/deployment/images/UR-Azureportal2.PNG b/windows/deployment/images/UR-Azureportal2.PNG new file mode 100644 index 0000000000..e7db8b3787 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal2.PNG differ diff --git a/windows/deployment/images/UR-Azureportal3.PNG b/windows/deployment/images/UR-Azureportal3.PNG new file mode 100644 index 0000000000..6fae2e1738 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal3.PNG differ diff --git a/windows/deployment/images/UR-Azureportal4.PNG b/windows/deployment/images/UR-Azureportal4.PNG new file mode 100644 index 0000000000..3087797a46 Binary files /dev/null and b/windows/deployment/images/UR-Azureportal4.PNG differ diff --git a/windows/deployment/images/UR-driver-issue-detail.png b/windows/deployment/images/UR-driver-issue-detail.png new file mode 100644 index 0000000000..933b2e2346 Binary files /dev/null and b/windows/deployment/images/UR-driver-issue-detail.png differ diff --git a/windows/deployment/images/UR-example-feedback.png b/windows/deployment/images/UR-example-feedback.png new file mode 100644 index 0000000000..5a05bb54e1 Binary files /dev/null and b/windows/deployment/images/UR-example-feedback.png differ diff --git a/windows/deployment/images/UR-monitor-main.png b/windows/deployment/images/UR-monitor-main.png new file mode 100644 index 0000000000..83904d3be2 Binary files /dev/null and b/windows/deployment/images/UR-monitor-main.png differ diff --git a/windows/deployment/images/UR-update-progress-failed-detail.png b/windows/deployment/images/UR-update-progress-failed-detail.png new file mode 100644 index 0000000000..4e619ae27c Binary files /dev/null and b/windows/deployment/images/UR-update-progress-failed-detail.png differ diff --git a/windows/deployment/images/autopilotworkflow.png b/windows/deployment/images/autopilotworkflow.png new file mode 100644 index 0000000000..a79609f6f7 Binary files /dev/null and b/windows/deployment/images/autopilotworkflow.png differ diff --git a/windows/deployment/images/s-mode-flow-chart.png b/windows/deployment/images/s-mode-flow-chart.png new file mode 100644 index 0000000000..c3c43cc027 Binary files /dev/null and b/windows/deployment/images/s-mode-flow-chart.png differ diff --git a/windows/deployment/images/smodeconfig.PNG b/windows/deployment/images/smodeconfig.PNG new file mode 100644 index 0000000000..2ab1fc0813 Binary files /dev/null and b/windows/deployment/images/smodeconfig.PNG differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index ab31e498e1..826492af20 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -28,7 +28,7 @@ sections: - href: windows-10-deployment-scenarios html:

      Understand the different ways that Windows 10 can be deployed

      image: - src: https://docs.microsoft.com/en-us/media/common/i_deploy.svg" + src: https://docs.microsoft.com/media/common/i_deploy.svg" title: Windows 10 deployment scenarios - href: update html:

      Update Windows 10 in the enterprise

      @@ -46,6 +46,7 @@ sections: text: "
      + @@ -59,7 +60,7 @@ sections: Windows 10 upgrade options are discussed and information is provided about planning, testing, and managing your production deployment.
       
      [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home) Check out the new Modern Deskop Deployment Center and discover content to help you with your Windows 10 and Office 365 ProPlus deployments.
      [What's new in Windows 10 deployment](deploy-whats-new.md) See this topic for a summary of new features and some recent changes related to deploying Windows 10 in your organization.
      [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md) To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the key capabilities and limitations of each, is a key task.
      [Windows 10 Subscription Activation](windows-10-enterprise-subscription-activation.md) Windows 10 Enterprise has traditionally been sold as on premises software, however, with Windows 10 version 1703 (also known as the Creator’s Update), both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as true online services via subscription. You can move from Windows 10 Pro to Windows 10 Enterprise with no keys and no reboots. If you are using a Cloud Service Providers (CSP) see the related topic: [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
      - + diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 179fd14236..e3fbb8108f 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -401,6 +401,6 @@ In this example, Disk 0 is formatted with the MBR partition style, and Disk 1 is ## Related topics -[Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro) diff --git a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md index 7fb6d20106..b7e31dc924 100644 --- a/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/deployment/planning/change-history-for-plan-for-windows-10-deployment.md @@ -29,8 +29,8 @@ The topics in this library have been updated for Windows 10, version 1703 (also | New or changed topic | Description | | --- | --- | -| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) | -| Windows Update for Business

      Setup and deployment of Windows Update for Business

      Integration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-manage-updates-wufb) | +| Windows 10 servicing overview | New content replaced this topic; see [Overview of Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) | +| Windows Update for Business

      Setup and deployment of Windows Update for Business

      Integration of Windows Update for Business with management solutions | New content replaced these topics; see [Manage updates using Windows Update for Business](https://technet.microsoft.com/itpro/windows/manage/waas-manage-updates-wufb) | ## RELEASE: Windows 10, version 1607 diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md index 60147ba008..916f6ac0c9 100644 --- a/windows/deployment/planning/windows-10-1803-removed-features.md +++ b/windows/deployment/planning/windows-10-1803-removed-features.md @@ -27,7 +27,7 @@ We've removed the following features and functionalities from the installed prod |Feature |Instead you can use...| |-----------|-------------------- -|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/en-us/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| +|Groove Music Pass|[We ended the Groove streaming music service and music track sales through the Microsoft Store in 2017](https://support.microsoft.com/help/4046109/groove-music-and-spotify-faq). The Groove app is being updated to reflect this change. You can still use Groove Music to play the music on your PC or to stream music from OneDrive. You can use Spotify or other music services to stream music on Windows 10, or to buy music to own.| |People - Suggestions will no longer include unsaved contacts for non-Microsoft accounts|Manually save the contact details for people you send mail to or get mail from.| |Language control in the Control Panel| Use the Settings app to change your language settings.| |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.

      When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.

      Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
      - [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
      - [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md index 6d5df32e07..0c87d5a683 100644 --- a/windows/deployment/planning/windows-10-1809-removed-features.md +++ b/windows/deployment/planning/windows-10-1809-removed-features.md @@ -7,7 +7,7 @@ ms.localizationpriority: medium ms.sitesec: library author: lizap ms.author: elizapo -ms.date: 08/31/2018 +ms.date: 11/16/2018 --- # Features removed or planned for replacement starting with Windows 10, version 1809 @@ -28,12 +28,11 @@ We're removing the following features and functionalities from the installed pro |Feature |Instead you can use...| |-----------|-------------------- |Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.| -|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/en-us/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| +|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.| |Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.| |limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.| |Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.| -|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).| -|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).| +|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 7-SP1 (WES7-SP1) and Windows Embedded Standard 8 (WES8)|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx). [Learn how](https://techcommunity.microsoft.com/t5/Windows-Embedded/Change-to-the-Windows-Embedded-Developer-Update/ba-p/285704) to get updates from the catalog.| ## Features we’re no longer developing diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md index b79237a3e1..7dcb96facc 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.md +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.md @@ -1,7 +1,7 @@ --- title: Windows 10 Enterprise FAQ for IT pros (Windows 10) description: Get answers to common questions around compatibility, installation, and support for Windows 10 Enterprise. -keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage udpates, Windows as a service, servicing channels, deployment tools +keywords: Windows 10 Enterprise, download, system requirements, drivers, appcompat, manage updates, Windows as a service, servicing channels, deployment tools ms.prod: w10 ms.mktglfcycl: plan ms.localizationpriority: medium diff --git a/windows/deployment/planning/windows-10-fall-creators-deprecation.md b/windows/deployment/planning/windows-10-fall-creators-deprecation.md index 09045724dc..5b8b7ca418 100644 --- a/windows/deployment/planning/windows-10-fall-creators-deprecation.md +++ b/windows/deployment/planning/windows-10-fall-creators-deprecation.md @@ -6,7 +6,7 @@ ms.mktglfcycl: plan ms.localizationpriority: medium ms.sitesec: library author: lizap -ms.date: 10/09/2017 +ms.date: 10/30/2018 --- # Features that are removed or deprecated in Windows 10 Fall Creators Update @@ -31,7 +31,7 @@ For more information about a listed feature or functionality and its replacemen |**Reading List**
      Functionality to be integrated into Microsoft Edge.| X | | |**Resilient File System (ReFS)**
      Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations. Creation ability will be removed from all other editions. All other editions will have Read and Write ability.
      (added: August 17, 2017)| | X | |**RSA/AES Encryption for IIS**
      We recommend that users use CNG encryption provider.| | X | -|**Screen saver functionality in Themes**
      To be disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep is now deprecated but continues to be functional. Lockscreen features and policies are preferred. | X | X | +|**Screen saver functionality in Themes**
      Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X | |**Sync your settings**
      Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work.
      (updated: August 17, 2017) | | X | |**Syskey.exe**
      Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | | |**System Image Backup (SIB) Solution**
      We recommend that users use full-disk backup solutions from other vendors.| | X | diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md new file mode 100644 index 0000000000..51f0ecee10 --- /dev/null +++ b/windows/deployment/s-mode.md @@ -0,0 +1,53 @@ +--- +title: Windows 10 Pro in S mode +description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.prod: w10 +ms.sitesec: library +ms.pagetype: deploy +ms.date: 12/05/2018 +author: jaimeo +--- + +# Windows 10 in S mode - What is it? +S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. + +![Configuration and features of S mode](images/smodeconfig.png) + +## S mode key features +**Microsoft-verified security** + +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. + +**Performance that lasts** + +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. + +**Choice and flexibility** + +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. + +![Switching out of S mode flow chart](images/s-mode-flow-chart.png) + + +## Deployment + +Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. + +## Keep line of business apps functioning with Desktop Bridge + +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of buisness apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. + +## Repackage Win32 apps into the MSIX format + +The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. This is another way to get your apps ready to run on Windows 10 in S mode. + + +## Related links + +- [Consumer applications for S mode](https://www.microsoft.com/en-us/windows/s-mode) +- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) +- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) +- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md new file mode 100644 index 0000000000..4126e2c7cf --- /dev/null +++ b/windows/deployment/update/PSFxWhitepaper.md @@ -0,0 +1,203 @@ +--- +title: Windows Updates using forward and reverse differentials +description: A technique to produce compact software updates optimized for any origin and destination revision pair +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: Jaimeo +ms.localizationpriority: medium +ms.author: jaimeo +ms.date: 10/18/2018 +--- + +# Windows Updates using forward and reverse differentials + + +Windows 10 monthly quality updates are cumulative, containing all previously +released fixes to ensure consistency and simplicity. For an operating system +platform like Windows 10, which stays in support for multiple years, the size of +monthly quality updates can quickly grow large, thus directly impacting network +bandwidth consumption. + +Today, this problem is addressed by using express downloads, where differential +downloads for every changed file in the update are generated based on selected +historical revisions plus the base version. In this paper, we introduce a new +technique to build compact software update packages that are applicable to any +revision of the base version, and then describe how Windows 10 quality updates +uses this technique. + +## General Terms + +The following general terms apply throughout this document: + +- *Base version*: A major software release with significant changes, such as + Windows 10, version 1809 (Windows 10 Build 17763.1) + +- *Revision*: Minor releases in between the major version releases, such as + KB4464330 (Windows 10 Build 17763.55) + +- *Baseless Patch Storage Files (Baseless PSF)*: Patch storage files that + contain full binaries or files + +## Introduction + +In this paper, we introduce a new technique that can produce compact software +updates optimized for any origin/destination revision pair. It does this by +calculating forward the differential of a changed file from the base version and +its reverse differential back to the base version. Both forward and reverse +differentials are then packaged as an update and distributed to the endpoints +running the software to be updated. The update package contents can be symbolized as follows: + +![Symbolic representation of update package contents. a box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png) + +The endpoints that have the base version of the file (V0) hydrate the target +revision (VN) by applying a simple transformation: + +![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png) + +The endpoints that have revision N of the file (VN), hydrate the target revision +(VR) by applying the following set of transformations: + +![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png) + +The endpoints retain the reverse differentials for the software revision they +are on, so that it can be used for hydrating and applying next revision update. + +By using a common baseline, this technique produces a single update package with +numerous advantages: + +- Compact in size + +- Applicable to all baselines + +- Simple to build + +- Efficient to install + +- Redistributable + +Historically, download sizes of Windows 10 quality updates (Windows 10, version +1803 and older supported versions of Windows 10) are optimized by using express +download. Express download is optimized such that updating Windows 10 systems +will download the minimum number of bytes. This is achieved by generating +differentials for every updated file based on selected historical base revisions +of the same file + its base or RTM version. + +For example, if the October monthly quality update has updated Notepad.exe, +differentials for Notepad.exe file changes from September to October, August to +October, July to October, June to October, and from the original feature release +to October are generated. All these differentials are stored in a Patch Storage +File (PSF, also referred to as “express download files”) and hosted or cached on +Windows Update or other update management or distribution servers (for example, +Windows Server Update Services (WSUS), System Center Configuration Manager, or a +non-Microsoft update management or distribution server that supports express +updates). A device leveraging express updates uses network protocol to determine +optimal differentials, then downloads only what is needed from the update +distribution endpoints. + +The flipside of express download is that the size of PSF files can be very large +depending on the number of historical baselines against which differentials were +calculated. Downloading and caching large PSF files to on-premises or remote +update distribution servers is problematic for most organizations, hence they +are unable to leverage express updates to keep their fleet of devices running +Windows 10 up to date. Secondly, due to the complexity of generating +differentials and size of the express files that need to be cached on update +distribution servers, it is only feasible to generate express download files for +the most common baselines, thus express updates are only applicable to selected +baselines. Finally, calculation of optimal differentials is expensive in terms +of system memory utilization, especially for low-cost systems, impacting their +ability to download and apply an update seamlessly. + +In the following sections, we describe how Windows 10 quality updates will +leverage this technique based on forward and reverse differentials for newer +releases of Windows 10 and Windows Server to overcome the challenges with +express downloads. + +## High-level Design + +### Update packaging + +Windows 10 quality update packages will contain forward differentials from +quality update RTM baselines (∆RTM→N) and reverse differentials back to RTM +(∆N→RTM) for each file that has changed since RTM. By using the RTM version as +the baseline, we ensure that all devices will have an identical payload. Update +package metadata, content manifests, and forward and reverse differentials will +be packaged into a cabinet file (.cab). This .cab file, and the applicability +logic, will also be wrapped in Microsoft Standalone Update (.msu) format. + +There can be cases where new files are added to the system during servicing. +These files will not have RTM baselines, thus forward and reverse differentials +cannot be used. In these scenarios, null differentials will be used to handle +servicing. Null differentials are the slightly compressed and optimized version +of the full binaries. Update packages can have either +forward or reverse differentials, or null differential of any given binary in +them. The following image symbolizes the content of a Windows 10 quality update installer: + +![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containg four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png) + +### Hydration and installation + +Once the usual applicability checks are performed on the update package and are +determined to be applicable, the Windows component servicing infrastructure will +hydrate the full files during pre-installation and then proceed with the usual +installation process. + +Below is a high-level sequence of activities that the component servicing +infrastructure will run in a transaction to complete installation of the update: + +- Identify all files that are required to install the update. + +- Hydrate each of necessary files using current version (VN) of the file, + reverse differential (VN--->RTM) of the file back to quality update RTM/base + version and forward differential (VRTM--->R) from feature update RTM/base + version to the target version. Also, use null differential hydration to + hydrate null compressed files. + +- Stage the hydrated files (full file), forward differentials (under ‘f’ + folder) and reverse differentials (under ‘r’ folder) or null compressed + files (under ‘n’ folder) in the component store (%windir%\\WinSxS folder). + +- Resolve any dependencies and install components. + +- Clean up older state (VN-1); the previous state VN is retained for + uninstallation and restoration or repair. + +### **Resilient Hydration** + +To ensure resiliency against component store corruption or missing files that +could occur due to susceptibility of certain types of hardware to file system +corruption, a corruption repair service has been traditionally used to recover +the component store automatically (“automatic corruption repair”) or on demand +(“manual corruption repair”) using an online or local repair source. This +service will continue to offer the ability to repair and recover content for +hydration and successfully install an update, if needed. + +When corruption is detected during update operations, automatic corruption +repair will start as usual and use the Baseless Patch Storage File published to +Windows Update for each update to fix corrupted manifests, binary differentials, +or hydrated or full files. Baseless patch storage files will contain reverse and +forward differentials and full files for each updated component. Integrity of +the repair files will be hash verified. + +Corruption repair will use the component manifest to detect missing files and +get hashes for corruption detection. During update installation, new registry +flags for each differential staged on the machine will be set. When automatic +corruption repair runs, it will scan hydrated files using the manifest and +differential files using the flags. If the differential cannot be found or +verified, it will be added to the list of corruptions to repair. + +### Lazy automatic corruption repair + +“Lazy automatic corruption repair” runs during update operations to detect +corrupted binaries and differentials. While applying an update, if hydration of +any file fails, "lazy" automatic corruption repair automatically starts, +identifies the corrupted binary or differential file, and then adds it to the +corruption list. Later, the update operation continues as far as it can go, so +that "lazy" automatic corruption repair can collect as many corrupted files to fix +as possible. At the end of the hydration section, the update fails, and +automatic corruption repair starts. Automatic corruption repair runs as usual +and at the end of its operation, adds the corruption list generated by "lazy" +automatic corruption repair on top of the new list to repair. Automatic +corruption repair then repairs the files on the corruption list and installation +of the update will succeed on the next attempt. diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 8fb982cfe7..e5345fd55b 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -51,7 +51,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op |Feedback | - Provide feedback via [Feedback Hub app](insiderhub://home/). This helps us make adjustments to features as quickly as possible.
      - Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
      - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/en-us/how-to-feedback/) | ## Validate Insider Preview builds -Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/en-us/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: +Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. This activity can play an important role in your [Windows 10 deployment strategy](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business). Early validation has several benefits: - Get a head start on your Windows validation process - Identify issues sooner to accelerate your Windows deployment @@ -67,5 +67,5 @@ Along with exploring new features, you also have the option to validate your app |Users | Application and infrastructure validation: In addition to Insiders who might have participated in feature exploration, we also recommend including a small group of application users from each business department to ensure a representative sample.| |Tasks | Application and infrastructure validation: Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) and [Windows Insider Tech Community](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/bd-p/WindowsInsiderProgram) pages for updates on current issues and fixes. | |Feedback | Application and infrastructure validation:Provide feedback in the Feedback Hub app and also inform app vendors of any significant issues. | -|Guidance | Application and infrastructure validation:
      - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
      - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor)
      - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| +|Guidance | Application and infrastructure validation:
      - [Use Upgrade Readiness to create an app inventory and identify mission-critical apps](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-identify-apps)
      - [Use Device Health to identify problem devices and device drivers](https://docs.microsoft.com/windows/deployment/update/device-health-monitor)
      - [Windows 10 application compatibility](https://technet.microsoft.com/windows/mt703793)| diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md index 9e529d5f34..93a9df5c6f 100644 --- a/windows/deployment/update/change-history-for-update-windows-10.md +++ b/windows/deployment/update/change-history-for-update-windows-10.md @@ -6,15 +6,22 @@ ms.mktglfcycl: manage ms.sitesec: library author: DaniHalfin ms.author: daniha -ms.date: 09/05/2019 +ms.date: 09/18/2018 --- # Change history for Update Windows 10 -This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/en-us/windows/deployment). +This topic lists new and updated topics in the [Update Windows 10](index.md) documentation for [Deploy and Update Windows 10](https://docs.microsoft.com/windows/deployment). >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## September 2018 + +| New or changed topic | Description | +| --- | --- | +| [Get started with Windows Update](windows-update-overview.md) | New | + + ## RELEASE: Windows 10, version 1709 The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update). diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 5ae3940112..e4a62129cf 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -1,11 +1,11 @@ --- title: Get started with Device Health -description: Configure Device Health in Azure Log Analytics to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. +description: Configure Device Health in Azure Monitor to monitor health (such as crashes and sign-in failures) for your Windows 10 devices. keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 09/11/2018 +ms.date: 10/29/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -26,19 +26,19 @@ This topic explains the steps necessary to configure your environment for Window ## Add the Device Health solution to your Azure subscription -Device Health is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: +Device Health is offered as a *solution* which you link to a new or existing [Azure Monitor](https://azure.microsoft.com/services/monitor/) *workspace* within your Azure *subscription*. To configure this, follows these steps: 1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. >[!NOTE] - > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. + > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health. 2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution. ![Azure portal page highlighting + Create a resource and with Device Health selected](images/CreateSolution-Part1-Marketplace.png) ![Azure portal showing Device Health fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](images/CreateSolution-Part2-Create.png) 3. Choose an existing workspace or create a new workspace to host the Device Health solution. - ![Azure portal showing Log Analytics workspace fly-in](images/CreateSolution-Part3-Workspace.png) + ![Azure portal showing Azure Monitor workspace fly-in](images/CreateSolution-Part3-Workspace.png) - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace. - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. @@ -48,7 +48,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az 4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**. ![Azure portal showing workspace selected and with Create button highlighted](images/CreateSolution-Part4-WorkspaceSelected.png) 5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. - ![Azure portal all services page with Log Analytics found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) + ![Azure portal all services page with Azure Monitor found and selected as favorite](images/CreateSolution-Part5-GoToResource.png) - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution. - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. @@ -56,7 +56,7 @@ Device Health is offered as a *solution* which you link to a new or existing [Az Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment: 1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar) -2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. +2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function. For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment." diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 42e88d5675..25bcd0d27e 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -18,7 +18,7 @@ ms.author: jaimeo Device Health is the newest Windows Analytics solution that complements the existing Upgrade Readiness and Update Compliance solutions by providing IT with reports on some common problems the end users might experience so they can be proactively remediated, thus saving support calls and improving end-user productivity. -Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Like Upgrade Readiness and Update Compliance, Device Health is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service that has a flexible servicing subscription based on data usage and retention. This release is free for customers to try and will not incur charges on your OMS workspace for its use. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). Device Health uses Windows diagnostic data that is part of all Windows 10 devices. If you have already employed Upgrade Readiness or Update Compliance solutions, all you need to do is select Device Health from the OMS solution gallery and add it to your OMS workspace. Device Health requires enhanced diagnostic data, so you might need to implement this policy if you've not already done so. diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 3e28db2683..890e0c33bb 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -57,7 +57,7 @@ Clicking the header of the Frequently Crashing Devices blade opens a reliability Notice the filters in the left pane; they allow you to filter the crash rate shown to a particular operating system version, device model, or other parameter. >[!NOTE] ->Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that that version has a low crash rate. +>Use caution when interpreting results filtered by model or operating system version. This is very useful for troubleshooting, but might not be accurate for *comparisons* because the crashes displayed could be of different types. The overall goal for working with crash data is to ensure that most devices have the same driver versions and that the version has a low crash rate. >[!TIP] >Once you've applied a filter (for example setting OSVERSION=1607) you will see the query in the text box change to append the filter (for example, with “(OSVERSION=1607)”). To undo the filter, remove that part of the query in the text box and click the search button to the right of the text box to run the adjusted query.” diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md new file mode 100644 index 0000000000..e360ba20b9 --- /dev/null +++ b/windows/deployment/update/fod-and-lang-packs.md @@ -0,0 +1,23 @@ +--- +title: Windows 10 - How to make FoDs and language packs available when you're using WSUS/SCCM +description: Learn how to make FoDs and language packs available for updates when you're using WSUS/SCCM. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: article +ms.author: elizapo +author: lizap +ms.localizationpriority: medium +ms.date: 10/18/2018 +--- +# How to make Features on Demand and language packs available when you're using WSUS/SCCM + +> Applies to: Windows 10 + +As of Windows 10, version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) and language packs for Windows 10 clients. Instead, you can pull them directly from Windows Update - you just need to change a Group Policy setting that lets clients download these directly from Windows Update. You can also host Features on Demand and language packs on a network share, but starting with Windows 10, version 1809, language packs can only be installed from Windows Update. + +For Active Directory and Group Policy environments running in a WSUS\SCCM environment change the **Specify settings for optional component installation and component repair** policy to enable downloading Features on Demand directly from Windows Update or a local share. This setting is located in Computer Configuration\Administrative Templates\System in the Group Policy Editor. + +Changing this policy only enables Features on Demand and language pack downloads from Windows Update - it doesn't affect how clients get feature and quality updates. Feature and quality updates will continue to come directly from WSUS\SCCM. It also doesn't affect the schedule for your clients to receive updates. + +Learn about other client management options, including using Group Policy and ADMX, in [Manage clients in Windows 10](https://docs.microsoft.com/windows/client-management/). diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md new file mode 100644 index 0000000000..b073e9cd2f --- /dev/null +++ b/windows/deployment/update/how-windows-update-works.md @@ -0,0 +1,142 @@ +--- +title: How Windows Update works +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# How does Windows Update work? + +>Applies to: Windows 10 + +The Windows Update workflow has four core areas of functionality: + +### Scan + +1. Orchestrator schedules the scan. +2. Orchestrator vertifies admin approvals and policies for download. + + +### Download +1. Orchestrator initiates downloads. +2. Windows Update downloads manifest files and provides them to the arbiter. +3. The arbiter evaluates the manifest and tells the Windows Update client to download files. +4. Windows Update client downloads files in a temporary folder. +5. The arbiter stages the downloaded files. + + +### Install +1. Orchestrator initates the installation. +2. The arbiter calls the installer to install the package. + + +### Commit +1. Orchestrator initiates a restart. +2. The arbiter finalizes before the restart. + + +## How updating works +During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage. + +## Scanning updates +![Windows Update scanning step](images/update-scan-step.png) + +The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently. + +When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies. + +Make sure you're familiar with the following terminology related to Windows Update scan: + +|Term|Definition| +|----|----------| +|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.| +|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.| +|Child update|Leaf update that's bundled by another update; contains payload.| +|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.| +|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. | +|Full scan|Scan with empty datastore.| +|Delta scan|Scan with updates from previous scan already cached in datastore.| +|Online scan|Scan that hits network and goes against server on cloud. | +|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. | +|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.| +|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.| +|Software sync|Part of the scan that looks at software updates only (OS and apps).| +|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.| +|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. | + +### How Windows Update scanning works + +Windows Update takes the following sets of actions when it runs a scan. + +#### Starts the scan for updates +When users start scanning in Windows Update through the Settings panel, the following occurs: + +- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates. +- "Agent" messages: queueing the scan, then actually starting the work: + - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers. + - Windows Update uses the thread ID filtering to concentrate on one particular task. + + ![Windows Update scan log 1](images/update-scan-log-1.png) + +#### Identifies service IDs + +- Service IDs indicate which update source is being scanned. + Note The next screen shot shows Microsoft Update and the Flighting service. + +- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. + ![Windows Update scan log 2](images/update-scan-log-2.png) +- Common service IDs + + >[!IMPORTANT] + >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses. + +|Service|ServiceId| +|-------|---------| +|Unspecified / Default|WU, MU or WSUS
      00000000-0000-0000-0000-000000000000 | +|WU|9482F4B4-E343-43B6-B170-9A65BC822C77| +|MU|7971f918-a847-4430-9279-4a52d1efe18d| +|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289| +|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552| +|WSUS or SCCM|Via ServerSelection::ssManagedServer
      3DA21691-E39D-4da6-8A4B-B43877BCB1B7 | +|Offline scan service|Via IUpdateServiceManager::AddScanPackageService| + +#### Finds network faults +Common update failure is caused due to network issues. To find the root of the issue: + +- Look for "ProtocolTalker" messages to see client-server sync network traffic. +- "SOAP faults" can be either client- or server-side issues; read the message. +- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting. + + >[!NOTE] + >Warning messages for SLS can be ignored if the search is against WSUS/SCCM. + +- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured. + ![Windows Update scan log 3](images/update-scan-log-3.png) + +## Downloading updates +![Windows Update download step](images/update-download-step.png) + +Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer. + +To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption. + +For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). + +## Installing updates +![Windows Update install step](images/update-install-step.png) + +When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list". + +The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation. + +## Committing Updates +![Windows Update commit step](images/update-commit-step.png) + +When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. + +For more information see [Manage device restarts after updates](waas-restart.md). \ No newline at end of file diff --git a/windows/deployment/update/images/PSF1.png b/windows/deployment/update/images/PSF1.png new file mode 100644 index 0000000000..3476cf6c11 Binary files /dev/null and b/windows/deployment/update/images/PSF1.png differ diff --git a/windows/deployment/update/images/PSF2.png b/windows/deployment/update/images/PSF2.png new file mode 100644 index 0000000000..1da8698dff Binary files /dev/null and b/windows/deployment/update/images/PSF2.png differ diff --git a/windows/deployment/update/images/PSF3.png b/windows/deployment/update/images/PSF3.png new file mode 100644 index 0000000000..79be89cea3 Binary files /dev/null and b/windows/deployment/update/images/PSF3.png differ diff --git a/windows/deployment/update/images/PSF4.png b/windows/deployment/update/images/PSF4.png new file mode 100644 index 0000000000..20f9a1a887 Binary files /dev/null and b/windows/deployment/update/images/PSF4.png differ diff --git a/windows/deployment/update/images/UC_00_marketplace_search.PNG b/windows/deployment/update/images/UC_00_marketplace_search.PNG new file mode 100644 index 0000000000..dcdf25d38a Binary files /dev/null and b/windows/deployment/update/images/UC_00_marketplace_search.PNG differ diff --git a/windows/deployment/update/images/UC_01_marketplace_create.PNG b/windows/deployment/update/images/UC_01_marketplace_create.PNG new file mode 100644 index 0000000000..4b34311112 Binary files /dev/null and b/windows/deployment/update/images/UC_01_marketplace_create.PNG differ diff --git a/windows/deployment/update/images/UC_02_workspace_create.PNG b/windows/deployment/update/images/UC_02_workspace_create.PNG new file mode 100644 index 0000000000..ed3eeeebbb Binary files /dev/null and b/windows/deployment/update/images/UC_02_workspace_create.PNG differ diff --git a/windows/deployment/update/images/UC_03_workspace_select.PNG b/windows/deployment/update/images/UC_03_workspace_select.PNG new file mode 100644 index 0000000000..d00864b861 Binary files /dev/null and b/windows/deployment/update/images/UC_03_workspace_select.PNG differ diff --git a/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG new file mode 100644 index 0000000000..3ea9f57531 Binary files /dev/null and b/windows/deployment/update/images/UC_04_resourcegrp_deployment_successful.PNG differ diff --git a/windows/deployment/update/images/UC_tile_assessing.PNG b/windows/deployment/update/images/UC_tile_assessing.PNG new file mode 100644 index 0000000000..2709763570 Binary files /dev/null and b/windows/deployment/update/images/UC_tile_assessing.PNG differ diff --git a/windows/deployment/update/images/UC_tile_filled.PNG b/windows/deployment/update/images/UC_tile_filled.PNG new file mode 100644 index 0000000000..f7e1bab284 Binary files /dev/null and b/windows/deployment/update/images/UC_tile_filled.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_DO_status.PNG b/windows/deployment/update/images/UC_workspace_DO_status.PNG new file mode 100644 index 0000000000..fa7550f0f5 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_DO_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_FU_status.PNG b/windows/deployment/update/images/UC_workspace_FU_status.PNG new file mode 100644 index 0000000000..14966b1d8a Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_FU_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_SU_status.PNG b/windows/deployment/update/images/UC_workspace_SU_status.PNG new file mode 100644 index 0000000000..3564c9b6e5 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_SU_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_WDAV_status.PNG b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG new file mode 100644 index 0000000000..40dcaef949 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_WDAV_status.PNG differ diff --git a/windows/deployment/update/images/UC_workspace_needs_attention.png b/windows/deployment/update/images/UC_workspace_needs_attention.png new file mode 100644 index 0000000000..be8033a9d6 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_needs_attention.png differ diff --git a/windows/deployment/update/images/UC_workspace_overview_blade.PNG b/windows/deployment/update/images/UC_workspace_overview_blade.PNG new file mode 100644 index 0000000000..beb04cdc18 Binary files /dev/null and b/windows/deployment/update/images/UC_workspace_overview_blade.PNG differ diff --git a/windows/deployment/update/images/champs-2.png b/windows/deployment/update/images/champs-2.png new file mode 100644 index 0000000000..bb87469a35 Binary files /dev/null and b/windows/deployment/update/images/champs-2.png differ diff --git a/windows/deployment/update/images/champs.png b/windows/deployment/update/images/champs.png new file mode 100644 index 0000000000..ea719bc251 Binary files /dev/null and b/windows/deployment/update/images/champs.png differ diff --git a/windows/deployment/update/images/deploy-land.png b/windows/deployment/update/images/deploy-land.png new file mode 100644 index 0000000000..bf104b6843 Binary files /dev/null and b/windows/deployment/update/images/deploy-land.png differ diff --git a/windows/deployment/update/images/discover-land.png b/windows/deployment/update/images/discover-land.png new file mode 100644 index 0000000000..8f9e30ce10 Binary files /dev/null and b/windows/deployment/update/images/discover-land.png differ diff --git a/windows/deployment/update/images/ignite-land.jpg b/windows/deployment/update/images/ignite-land.jpg new file mode 100644 index 0000000000..7d0837af47 Binary files /dev/null and b/windows/deployment/update/images/ignite-land.jpg differ diff --git a/windows/deployment/update/images/plan-land.png b/windows/deployment/update/images/plan-land.png new file mode 100644 index 0000000000..7569da7ac1 Binary files /dev/null and b/windows/deployment/update/images/plan-land.png differ diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png new file mode 100644 index 0000000000..cb79ff70be Binary files /dev/null and b/windows/deployment/update/images/servicing-cadence.png differ diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png new file mode 100644 index 0000000000..0914b555ba Binary files /dev/null and b/windows/deployment/update/images/servicing-previews.png differ diff --git a/windows/deployment/update/images/update-commit-step.png b/windows/deployment/update/images/update-commit-step.png new file mode 100644 index 0000000000..d9b3d0cd2d Binary files /dev/null and b/windows/deployment/update/images/update-commit-step.png differ diff --git a/windows/deployment/update/images/update-component-name.png b/windows/deployment/update/images/update-component-name.png new file mode 100644 index 0000000000..79152f5aeb Binary files /dev/null and b/windows/deployment/update/images/update-component-name.png differ diff --git a/windows/deployment/update/images/update-download-step.png b/windows/deployment/update/images/update-download-step.png new file mode 100644 index 0000000000..a7e8f1a3e5 Binary files /dev/null and b/windows/deployment/update/images/update-download-step.png differ diff --git a/windows/deployment/update/images/update-inconsistent.png b/windows/deployment/update/images/update-inconsistent.png new file mode 100644 index 0000000000..ac0768471a Binary files /dev/null and b/windows/deployment/update/images/update-inconsistent.png differ diff --git a/windows/deployment/update/images/update-install-step.png b/windows/deployment/update/images/update-install-step.png new file mode 100644 index 0000000000..896535b52e Binary files /dev/null and b/windows/deployment/update/images/update-install-step.png differ diff --git a/windows/deployment/update/images/update-process-id.png b/windows/deployment/update/images/update-process-id.png new file mode 100644 index 0000000000..4045f4ee7e Binary files /dev/null and b/windows/deployment/update/images/update-process-id.png differ diff --git a/windows/deployment/update/images/update-scan-log-1.png b/windows/deployment/update/images/update-scan-log-1.png new file mode 100644 index 0000000000..69691066ac Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-1.png differ diff --git a/windows/deployment/update/images/update-scan-log-2.png b/windows/deployment/update/images/update-scan-log-2.png new file mode 100644 index 0000000000..7b059f7011 Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-2.png differ diff --git a/windows/deployment/update/images/update-scan-log-3.png b/windows/deployment/update/images/update-scan-log-3.png new file mode 100644 index 0000000000..e6abcd1024 Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-3.png differ diff --git a/windows/deployment/update/images/update-scan-step.png b/windows/deployment/update/images/update-scan-step.png new file mode 100644 index 0000000000..b603de2625 Binary files /dev/null and b/windows/deployment/update/images/update-scan-step.png differ diff --git a/windows/deployment/update/images/update-terminology.png b/windows/deployment/update/images/update-terminology.png new file mode 100644 index 0000000000..803c35d447 Binary files /dev/null and b/windows/deployment/update/images/update-terminology.png differ diff --git a/windows/deployment/update/images/update-time-log.png b/windows/deployment/update/images/update-time-log.png new file mode 100644 index 0000000000..4b311c1ce8 Binary files /dev/null and b/windows/deployment/update/images/update-time-log.png differ diff --git a/windows/deployment/update/images/update-update-id.png b/windows/deployment/update/images/update-update-id.png new file mode 100644 index 0000000000..efcf6b09a8 Binary files /dev/null and b/windows/deployment/update/images/update-update-id.png differ diff --git a/windows/deployment/update/images/video-snip.PNG b/windows/deployment/update/images/video-snip.PNG new file mode 100644 index 0000000000..35317ee027 Binary files /dev/null and b/windows/deployment/update/images/video-snip.PNG differ diff --git a/windows/deployment/update/images/windows-update-workflow.png b/windows/deployment/update/images/windows-update-workflow.png new file mode 100644 index 0000000000..e597eaec2a Binary files /dev/null and b/windows/deployment/update/images/windows-update-workflow.png differ diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md index 23321eb5ad..7a74f8e858 100644 --- a/windows/deployment/update/servicing-stack-updates.md +++ b/windows/deployment/update/servicing-stack-updates.md @@ -7,7 +7,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 05/29/2018 +ms.date: 11/29/2018 --- # Servicing stack updates @@ -15,25 +15,38 @@ ms.date: 05/29/2018 **Applies to** -- Windows 10 +- Windows 10, Windows 8.1, Windows 8, Windows 7 ## What is a servicing stack update? -The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. +Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month. ## Why should servicing stack updates be installed and kept up to date? -Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. +Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes. ## When are they released? -Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required. +Servicing stack update are scheduled to release simultaneously with the monthly quality updates. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical." + +>[!NOTE] +>You can find a list of servicing stack updates at [Latest servicing stack updates](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). + +## What's the difference between a servicing stack update and a cumulative update? + +Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates. + +Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update. + ## Is there any special guidance? -Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. +Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update. + +Typically, the improvements are reliability and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes. ## Installation notes * Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system. * Installing servicing stack update does not require restarting the device, so installation should not be disruptive. * Servicing stack update releases are specific to the operating system version (build number), much like quality updates. +* Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001). \ No newline at end of file diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 9c77b0f094..c29062acb5 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/27/2018 +ms.date: 10/04/2018 keywords: oms, operations management suite, optimization, downloads, updates, log analytics ms.localizationpriority: medium --- @@ -15,9 +15,7 @@ ms.localizationpriority: medium # Delivery Optimization in Update Compliance The Update Compliance solution of Windows Analytics provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days. ->[!Note] ->Delivery Optimization Status is currently in development. See the [Known Issues](#known-issues) section for issues we are aware of and potential workarounds. - +![DO status](images/UC_workspace_DO_status.png) ## Delivery Optimization Status @@ -27,7 +25,7 @@ The Delivery Optimization Status section includes three blades: - The **Content Distribution (%)** blade shows the percentage of bandwidth savings for each category - The **Content Distribution (GB)** blade shows the total amount of data seen from each content type broken down by the download source (peers vs non-peers). -![DO status](images/uc-DO-status.png) + ## Device Configuration blade @@ -46,8 +44,3 @@ The download sources that could be included are: - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the “Group” download mode is used) - HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates. -## Known Issues -Delivery Optimization is currently in development. The following issues are known: - -- DO Download Mode is not accurately portrayed in the Device Configuration blade. There is no workaround at this time. - diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 0235ac8cea..658f351965 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -5,20 +5,20 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/18/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- # Feature Update Status -![The Feature Update Status report](images/uc-featureupdatestatus.png) +![The Feature Update Status report](images/UC_workspace_FU_status.png) -The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#servicing-channels). +The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). ## Overall Feature Update Status -The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/en-us/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and OS Version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. +The Overall Feature Update Status blade breaks down how many devices are up-to-date or not, with a special callout for how many devices are running a build that is not supported (for a full list of feature updates, check out the [Windows 10 Release Information](https://technet.microsoft.com/windows/release-info.aspx) page). The table beneath the visualization breaks devices down by Servicing Channel and operating system version, then defining whether this combination is *up-to-date*, *not up-to-date* or *out of support*. Finally, the table provides a count of devices that fall into this category. ## Deployment Status by Servicing Channel @@ -31,4 +31,3 @@ Refer to the following list for what each state means: * Devices that have failed the given feature update installation are counted as **Update failed**. * If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. -Clicking on any row will navigate to the query relevant to that feature update. These queries are attached to [Perspectives](update-compliance-perspectives.md) that contain detailed deployment data for that update. diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 89e5ebf0c7..0d73747fed 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -8,76 +8,65 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/04/2018 ms.localizationpriority: medium --- # Get started with Update Compliance - ->[!IMPORTANT] ->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition). - -This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. +This topic explains the steps necessary to configure your environment for Windows Analytics: Update Compliance. Steps are provided in sections that follow the recommended setup process: -1. [Add Update Compliance](#add-update-compliance-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite. -2. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics) to your organization’s devices. -3. [Use Update Compliance to monitor Windows Updates](#use-update-compliance-to-monitor-windows-updates) once your devices are enrolled. +1. Ensure you meet the [Update Compliance prerequisites](#update-compliance-prerequisites). +2. [Add Update Compliance to your Azure subscription](#add-update-compliance-to-your-azure-subscription). +3. [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics). +4. [Use Update Compliance](update-compliance-using.md) to monitor Windows Updates, Windows Defender Antivirus status, and Delivery Optimization. +## Update Compliance prerequisites +Before you begin the process to add Update Compliance to your Azure subscription, first ensure you can meet the prerequisites: +1. Update Compliance works only with Windows 10 Professional, Education, and Enterprise editions. Update Compliance only provides data for the standard Desktop Windows 10 version and is not currently compatible with Windows Server, Surface Hub, IoT, etc. +2. Update Compliance provides detailed deployment data for devices on the Semi-Annual Channel and the Long-term Servicing Channel. Update Compliance will show Windows Insider Preview devices, but currently will not provide detailed deployment information for them. +3. Update Compliance requires at least the Basic level of diagnostic data and a Commercial ID to be enabled on the device. +4. To show device names for versions of Windows 10 starting with 1803 in Windows Analytics you must opt in. For details about this, see the "AllowDeviceNameinTelemetry (in Windows 10)" entry in the table in the [Distributing policies at scale](windows-analytics-get-started.md#deploying-windows-analytics-at-scale) section of [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). +5. To use the Windows Defender Status, devices must be E3-licensed and have Cloud Protection enabled. E5-licensed devices will not appear here. For E5 devices, you should use [Windows Defender ATP](https://docs.microsoft.com/sccm/protect/deploy-use/windows-defender-advanced-threat-protection) instead. For more information on Windows 10 Enterprise licensing, see [Windows 10 Enterprise: FAQ for IT Professionals](https://docs.microsoft.com/windows/deployment/planning/windows-10-enterprise-faq-itpro). -## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics +## Add Update Compliance to your Azure subscription +Update Compliance is offered as a solution which is linked to a new or existing [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) workspace within your Azure subscription. To configure this, follow these steps: -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. ->[!IMPORTANT] ->Update Compliance is a free solution for Azure subscribers. +> [!NOTE] +> Update Compliance is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Update Compliance, but no Azure charges are expected to accrue to the subscription as a result of using Update Compliance. -If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. +2. In the Azure portal select **+ Create a resource**, and search for “Update Compliance". You should see it in the results below. ->[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace. +![Update Compliance marketplace search results](images/UC_00_marketplace_search.png) +3. Select **Update Compliance** and a blade will appear summarizing the solution’s offerings. At the bottom, select **Create** to begin adding the solution to Azure. -If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: +![Update Compliance solution creation](images/UC_01_marketplace_create.png) -1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. - ![Operations Management Suite bar with sign-in button](images/uc-02a.png) - -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. - ![OMS Sign-in dialog box for account name and password](images/uc-03a.png) - -3. Create a new OMS workspace. - ![OMS dialog with buttons to create a new OMS workspace or cancel](images/uc-04a.png) - -4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**. - ![OMS Create New Workspace dialog](images/uc-05a.png)](images/uc-05.png) - -5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace. - ![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png) - -6. To add the Update Compliance solution to your workspace, go to the Solutions Gallery. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Device Health](device-health-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. - ![OMS workspace with Solutions Gallery tile highlighted](images/uc-07a.png) - -7. Select the **Update Compliance** tile in the gallery and then select **Add** on the solution’s details page. You might need to scroll to find **Update Compliance**. The solution is now visible in your workspace. - ![Workspace showing Solutions Gallery](images/uc-08a.png) - -8. Click the **Update Compliance** tile to configure the solution. The **Settings Dashboard** opens. - ![OMS workspace with new Update Compliance tile on the right side highlighted](images/uc-09a.png) - -9. Click **Subscribe** to subscribe to OMS Update Compliance. You will then need to distribute your Commercial ID across all your organization’s devices. More information on the Commercial ID is provided below. - ![Series of blades showing Connected Sources, Windows Diagnostic Data, and Upgrade Analytics solution with Subscribe button](images/uc-10a.png) - -After you are subscribed to OMS Update Compliance and your devices have a Commercial ID, you will begin receiving data. It will typically take 24 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices. +4. Choose an existing workspace or create a new workspace that will be assigned to the Update Compliance solution. + - If you already have another Windows Analytics solution, you should use the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **Free**. ->[!NOTE] ->You can unsubscribe from the Update Compliance solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic. +![Update Compliance workspace creation](images/UC_02_workspace_create.png) + +5. The resource group and workspace creation process could take a few minutes. After this, you are able to use that workspace for Update Compliance. Select **Create**. + +![Update Compliance workspace selection](images/UC_03_workspace_select.png) + +6. Watch for a notification in the Azure portal that your deployment has been successful. This might take a few minutes. Then, select **Go to resource**. + +![Update Compliance deployment successful](images/UC_04_resourcegrp_deployment_successful.png) ## Enroll devices in Windows Analytics +Once you've added Update Compliance to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Update Compliance there are two key steps for enrollment: +1. Deploy your Commercial ID (from the Update Compliance Settings page) to your Windows 10 devices (typically by using Group Policy, [Mobile Device Management](https://docs.microsoft.com/windows/client-management/windows-10-mobile-and-mdm), [System Center Configuration Manager](https://docs.microsoft.com/sccm/core/understand/introduction) or similar). +2. Ensure the Windows Diagnostic Data setting on devices is set to at least Basic (typically using Group Policy or similar). For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). -Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). - - -## Use Update Compliance to monitor Windows Updates - -Once your devices are enrolled, you can start to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md). +After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it might take 48-72 hours for the first data to appear in the solution. Until then, Update Compliance will indicate it is still assessing devices. diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 2719e89d62..25fac89570 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -8,51 +8,39 @@ ms.sitesec: library ms.pagetype: deploy author: Jaimeo ms.author: jaimeo -ms.date: 02/09/2018 +ms.date: 10/04/2018 ms.localizationpriority: medium --- -# Monitor Windows Updates and Windows Defender Antivirus with Update Compliance +# Monitor Windows Updates with Update Compliance ## Introduction -With Windows 10, organizations need to change the way they approach monitoring and deploying updates. Update Compliance is a powerful set of tools that enable organizations to monitor and track all important aspects of the new servicing strategy from Microsoft: [Windows as a Service](waas-overview.md). +Update Compliance is a [Windows Analytics solution](windows-analytics-overview.md) that enables organizations to: -Update Compliance is a solution built within Operations Management Suite (OMS), a cloud-based monitoring and automation service which has a flexible servicing subscription based off data usage/retention. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +* Monitor Windows 10 Professional, Education, and Enterprise security, quality, and feature updates. +* View a report of device and update issues related to compliance that need attention. +* See the status of Windows Defender Antivirus signatures and threats. +* Check bandwidth savings incurred across multiple content types by using [Delivery Optimization](waas-delivery-optimization.md). -Update Compliance uses the Windows diagnostic data that is part of all Windows 10 devices. It collects system data including update installation progress, Windows Update for Business (WUfB) configuration data, Windows Defender Antivirus data, and other update-specific information, and then sends this data privately to a secure cloud to be stored for analysis and usage within the solution. +Update Compliance is offered through the Azure portal, and is available free for devices that meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). -Update Compliance provides the following: - -- Dedicated drill-downs for devices that might need attention -- An inventory of devices, including the version of Windows they are running and their update status -- The ability to track protection and threat status for Windows Defender Antivirus-enabled devices -- An overview of WUfB deferral configurations (Windows 10 Anniversary Update [1607] and later) -- Powerful built-in [log analytics](https://www.microsoft.com/en-us/cloud-platform/insight-and-analytics?WT.srch=1&WT.mc_id=AID529558_SEM_%5B_uniqid%5D&utm_source=Bing&utm_medium=CPC&utm_term=log%20analytics&utm_campaign=Hybrid_Cloud_Management) to create useful custom queries -- Cloud-connected access utilizing Windows 10 diagnostic data means no need for new complex, customized infrastructure +Update Compliance uses Windows 10 and Windows Defender Antivirus diagnostic data for all of its reporting. It collects system data including update deployment progress, [Windows Update for Business](waas-manage-updates-wufb.md) configuration data, Windows Defender Antivirus data, and Delivery Optimization usage data, and then sends this data to a secure cloud to be stored for analysis and usage in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal). See the following topics in this guide for detailed information about configuring and using the Update Compliance solution: - [Get started with Update Compliance](update-compliance-get-started.md): How to add Update Compliance to your environment. - [Using Update Compliance](update-compliance-using.md): How to begin using Update Compliance. -Click the following link to see a video demonstrating Update Compliance features. - -[![YouTube video demonstrating Update Compliance](images/UC-vid-crop.jpg)](https://www.youtube-nocookie.com/embed/1cmF5c_R8I4) - ## Update Compliance architecture The Update Compliance architecture and data flow is summarized by the following five-step process: **(1)** User computers send diagnostic data to a secure Microsoft data center using the Microsoft Data Management Service.
      **(2)** Diagnostic data is analyzed by the Update Compliance Data Service.
      -**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your OMS workspace.
      +**(3)** Diagnostic data is pushed from the Update Compliance Data Service to your Azure Monitor workspace.
      **(4)** Diagnostic data is available in the Update Compliance solution.
      -**(5)** You are able to monitor and troubleshoot Windows updates and Windows Defender AV in your environment.
      -These steps are illustrated in following diagram: - -![Update Compliance architecture](images/uc-01-wdav.png) >[!NOTE] >This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index c22ccf1812..8f21da95f6 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -5,34 +5,39 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- -# Need Attention! +# Needs attention! +![Needs attention section](images/UC_workspace_needs_attention.png) -![Need Attention! report](images/uc-needattentionoverview.png) - -The “Need Attention!” section provides a breakdown of all device issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade is shown within this section that contains queries that provide values but do not fit within any other main section. +The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. >[!NOTE] ->The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers may not add up. +>The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. -The different issues are broken down by Device Issues and Update Issues, which are iterated below: +The different issues are broken down by Device Issues and Update Issues: ## Device Issues -* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices may be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer be serviced, and may be vulnerable. These devices should be updated to a supported version of Windows 10. +* **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows 10 it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows 10. ## Update Issues -* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors may be transient, but should be investigated further to be sure. +* **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. +* **Cancelled**: This issue occurs when a user cancels the update process. +* **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. * **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. -Clicking on any of the issues will navigate you to the Log Search view with all devices that have the given issue. +Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. + +>[!NOTE] +>This blade also has a link to the [Setup Diagnostic Tool](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag), a standalone tool you can use to obtain details about why a Windows 10 feature update was unsuccessful. ## List of Queries -The List of Queries blade resides within the “Need Attention!” section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. \ No newline at end of file +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 969c2e6d55..bf7d1d6795 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -5,28 +5,25 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy -author: DaniHalfin -ms.author: daniha -ms.date: 10/13/2017 +author: Jaimeo +ms.author: jaimeo +ms.date: 10/04/2018 --- # Security Update Status -![The Security Update Status report](images/uc-securityupdatestatus.png) +![The Security Update Status report](images/UC_workspace_SU_status.png) -The Security Update Status section provides information about [quality updates](waas-quick-start.md#definitions) across all devices. The section tile within the O[verview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update to provide the most essential data without needing to navigate into the section. However, within the section the Overall Quality Update Status blade also considers whether devices are up-to-date on non-security updates. +The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates. ->[!NOTE] ->It is possible for the percentage of devices on the latest security update to differ from devices that are up-to-date on all quality updates. This is because some devices may have non-security updates that are applicable to them. - -The **Overall Quality Update Status** blade provides a visualization of devices that are and are not up-to-date on the latest quality updates (not just security updates). Below the visualization are all devices further broken down by OS Version and a count of how many are up-to-date and not up-to-date. Within the “Not up-to-date” column, the count of update failures is also given. +The **Overall Security Update Status** blade provides a visualization of devices that are and do not have the latest security updates. Below the visualization are all devices further broken down by operating system version and a count of devices that are up to date and not up to date. The **Not up to date** column also provides a count of update failures. The **Latest Security Update Status** and **Previous Security Update Status** tiles are stacked to form one blade. The **Latest Security Update Status** provides a visualization of the different deployment states devices are in regarding the latest update for each build (or version) of Windows 10, along with the revision of that update. The **Previous Security Update Status** blade provides the same information without the accompanying visualization. -What follows is a breakdown of the different deployment states reported by devices: +The various deployment states reported by devices are as follows: * **Installed** devices are devices that have completed installation for the given update. -* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using WU for Business Settings. -* Devices that have **Update Failed**, failed updating at some point during the installation process of the given security update. -* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. Devices not using Windows Update are the most likely devices to fall into this category. +* When a device is counted as **In Progress or Deferred**, it has either begun the installation process for the given update or has been intentionally deferred or paused using Windows Update for Business Settings. +* Devices that have **Update Issues** have failed to update at some point during the installation process of the given security update or have not seen progress for a period of seven days. +* If a device should be, in some way, progressing toward this security update, but its status cannot be inferred, it will count as **Status Unknown**. This is most often devices that have not scanned for an update in some time, or devices not being managed through Windows Update. -The rows of each tile in this section are interactive; clicking on them will navigate you to the query that is representative of that row and section. These queries are also attached to [Perspectives](update-compliance-perspectives.md) with detailed deployment data for that update. \ No newline at end of file +The rows of each tile in this section are interactive; selecting them will navigate you to the query that is representative of that row and section. diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 2bcc3b064e..d9b61d93cf 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 10/13/2017 +ms.date: 10/04/2018 ms.localizationpriority: medium --- @@ -18,64 +18,72 @@ In this section you'll learn how to use Update Compliance to monitor your device Update Compliance: -- Uses diagnostic data gathered from user devices to form an all-up view of Windows 10 devices in your organization. -- Enables you to maintain a high-level perspective on the progress and status of updates across all devices. -- Provides a workflow that can be used to quickly identify which devices require attention. -- Enables you to track deployment compliance targets for updates. -- Summarizes Windows Defender Antivirus status for devices that use it. +- Provides detailed deployment data for Windows 10 security, quality, and feature updates. +- Reports when devices have issues related to updates that need attention. +- Shows Windows Defender AV status information for devices that use it and meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites). +- Shows bandwidth usage and savings for devices that are configured to use [Delivery Optimization](waas-delivery-optimization.md). +- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. ->[!NOTE] ->Information is refreshed daily so that update progress can be monitored. Changes will be displayed about 24 hours after their occurrence, so you always have a recent snapshot of your devices. +## The Update Compliance tile +After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you’ll see this tile: -In Update Compliance, data is separated into vertically-sliced sections. Each section is referred to as a blade. Within a blade, there may or may not be multiple tiles, which serve to represent the data in different ways. Blades are summarized by their title in the upper-left corner above it. Every number displayed in OMS is the direct result of one or more queries. Clicking on data in blades will often navigate you to the query view, with the query used to produce that data. Some of these queries have perspectives attached to them; when a perspective is present, an additional tab will load in the query view. These additional tabs provide blades containing more information relevant to the results of the query. +![Update Compliance tile no data](images/UC_tile_assessing.png) -## The Update Compliance Tile +When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: -After Update Compliance has successfully been added from the solution gallery, you’ll see this tile: -![Empty Update Compliance Tile](images/uc-emptyworkspacetile.png) +![Update Compliance tile with data](images/UC_tile_filled.png) -When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that is associated with the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: +The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. -![Filled Update Compliance Tile](images/uc-filledworkspacetile.png) +## The Update Compliance workspace -The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was updated. +![Update Compliance workspace view](images/UC_workspace_needs_attention.png) -## The Update Compliance Workspace +When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. -![Update Compliance workspace view](images/uc-filledworkspaceview.png) +### Overview blade -Upon clicking the tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview Blade providing a hub from which to navigate to different reports of your device’s data. +![The Overview blade](images/UC_workspace_overview_blade.png) -### Overview Blade - -![The Overview Blade](images/uc-overviewblade.png) - -Update Compliance’s overview blade provides a summarization of all the data Update Compliance focuses on. It functions as a hub from which different sections can be navigated to. The total number of devices detected by Update Compliance are counted within the title of this blade. What follows is a distribution for all devices as to whether they are up to date on: -* Quality updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. +Update Compliance’s overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: +* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. * AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Windows Defender Antivirus. -The blade also provides the time at which your Update Compliance workspace was refreshed. +The blade also provides the time at which your Update Compliance workspace was [refreshed](#data-latency). -Below the “Last Updated” time, a list of the different sections follows that can be clicked on to view more information, they are: -* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It counts the number of devices encountering issues and need attention; clicking into this provides blades that summarize the different issues that devices are encountering, and provides a List of Queries that Microsoft finds useful. -* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Clicking into this section provides blades that summarize the overall status of Quality updates across all devices; including deployment. -* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Clicking into this section provides blades that summarize the overall feature update status across all devices, with an emphasis on deployment progress. -* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Clicking into this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus. +The following is a breakdown of the different sections available in Update Compliance: +* [Need Attention!](update-compliance-need-attention.md) - This section is the default section when arriving to your Update Compliance workspace. It provides a summary of the different issues devices are facing relative to Windows 10 updates. +* [Security Update Status](update-compliance-security-update-status.md) - This section lists the percentage of devices that are on the latest security update released for the version of Windows 10 it is running. Selecting this section provides blades that summarize the overall status of security updates across all devices and a summary of their deployment progress towards the latest two security updates. +* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows 10 in your environment. +* [Windows Defender AV Status](update-compliance-wd-av-status.md) - This section lists the percentage of devices running Windows Defender Antivirus that are not sufficiently protected. Selecting this section provides a summary of signature and threat status across all devices that are running Windows Defender Antivirus. This section is not applicable to devices not running Windows Defender Antivirus or devices that do not meet the [prerequisites](update-compliance-get-started.md#update-compliance-prerequisites) to be assessed. +* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. -Use [Perspectives](update-compliance-perspectives.md) for data views that provide deeper insight into your data. -## Utilizing Log Analytics +## Update Compliance data latency +Update Compliance uses Windows 10 diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. The process that follows is as follows: -Update Compliance is built upon the Log Analytics platform that is integrated into Operations Management Suite. All data within the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. +Update Compliance is refreshed every 12 hours. This means that every 12 hours all data that has been gathered over the last 12-hour interval is pushed to Log Analytics. However, the rate that each data type is sent and how long it takes to be ready for Update Compliance varies, roughly outlined below. +| Data Type | Refresh Rate | Data Latency | +|--|--|--| +|WaaSUpdateStatus | Once per day |4 hours | +|WaaSInsiderStatus| Once per day |4 hours | +|WaaSDeploymentStatus|Every update event (Download, install, etc.)|24-36 hours | +|WDAVStatus|On signature update|24 hours | +|WDAVThreat|On threat detection|24 hours | +|WUDOAggregatedStatus|On update event, aggregated over time|24-36 hours | +|WUDOStatus|Once per day|12 hours | + +This means you should generally expect to see new data every 24-36 hours, except for WaaSDeploymentStatus and WUDOAggregatedStatus, which may take 36-48 hours (if it misses the 36th hour refresh, it would be in the 48th, so the data will be present in the 48th hour refresh). + +## Using Log Analytics + +Update Compliance is built on the Log Analytics platform that is integrated into Operations Management Suite. All data in the workspace is the direct result of a query. Understanding the tools and features at your disposal, all integrated within OMS, can deeply enhance your experience and complement Update Compliance. See below for a few topics related to Log Analytics: * Learn how to effectively execute custom Log Searches by referring to Microsoft Azure’s excellent documentation on [querying data in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-log-searches). * To develop your own custom data views in Operations Management Suite or [Power BI](https://powerbi.microsoft.com/); check out documentation on [analyzing data for use in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-dashboards). -* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to utilize it to always stay informed about the most critical issues you care about. - ->[!NOTE] ->You can use the Feedback Hub App on Windows 10 devices to [provide feedback about Update Compliance](feedback-hub://?referrer=itProDocs&tabid=2&contextid=797) and other Windows Analytics solutions. +* [Gain an overview of Log Analytics’ alerts](https://docs.microsoft.com/azure/log-analytics/log-analytics-alerts) and learn how to use it to always stay informed about the most critical issues you care about. ## Related topics diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index c0f974d0c0..aaf6b63c0c 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -7,25 +7,29 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 05/17/2018 +ms.date: 10/04/2018 --- # Windows Defender AV Status -![The Windows Defender AV Status report](images/uc-windowsdefenderavstatus.png) +![The Windows Defender AV Status report](images/UC_workspace_WDAV_status.png) The Windows Defender AV Status section deals with data concerning signature and threat status for devices that use Windows Defender Antivirus. The section tile in the [Overview Blade](update-compliance-using.md#overview-blade) provides the percentage of devices with insufficient protection – this percentage only considers devices using Windows Defender Antivirus. >[!NOTE] ->Customers with E5 licenses can monitor the Windows Defender AV status by using the Windows Defender ATP portal. For more information about monitoring devices with this portal, see [Onboard Windows 10 machines](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). +>Update Compliance's Windows Defender Antivirus status is compatible with E3, B, F1, VL Professional and below licenses. Devices with an E5 license are not shown here; devices with an E5 license can be monitored using the [Windows Defender ATP portal](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection). If you'd like to learn more about Windows 10 licensing, see the [Windows 10 product licensing options](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx). -The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Clicking any of these statuses will navigate you to a Log Search view containing the query. +# Windows Defender AV Status sections +The **Protection Status** blade gives a count for devices that have either out-of-date signatures or real-time protection turned off. Below, it gives a more detailed breakdown of the two issues. Selecting any of these statuses will navigate you to a Log Search view containing the query. -The **Threat Status** blade provides a visualization of, for devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Clicking either of these will navigate to the respective query in Log Search for further investigation. +The **Threat Status** blade shows, among devices that have encountered threats, how many were and were not remediated successfully. It also provides a detailed count. Selecting either of these will take you to the respective query in Log Search for further investigation. -Here are some important terms to consider when utilizing the Windows Defender AV Status section of Update Compliance: -* **Signature out of date** devices are devices with signature older than 14 days. -* **No real-time protection** devices are devices who are using Windows Defender AV but have turned off Real-time protection. +Here are some important terms to consider when using the Windows Defender AV Status section of Update Compliance: +* **Signature out of date** devices are devices with a signature older than 14 days. +* **No real-time protection** devices are devices that are using Windows Defender AV but have turned off real-time protection. * **Recently disappeared** devices are devices that were previously seen by Windows Defender AV and are no longer seen in the past 7 days. -* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This can be due to reason like disk full, network error, operation aborted, etc. Manual intervention may be needed from IT team. -* **Not assessed** devices are devices where either a third-party AV solution is used or it has been more than 7 days since the device recently disappeared. +* **Remediation failed** devices are devices where Windows Defender AV failed to remediate the threat. This could be due to a number of reasons, including a full disk, network error, operation aborted, etc. Manual intervention might be needed from IT team. +* **Not assessed** devices are devices where either a non-Microsoft AV solution is used or it has been more than 7 days since the device recently disappeared. + +## Windows Defender data latency +Because of the way Windows Defender is associated with the rest of Windows device data, Defender data for new devices might take much longer to appear than other data types. This process could take up to 28 days. \ No newline at end of file diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 082dd4cb06..b44f133b50 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 +ms.date: 11/16/2018 --- # Configure Windows Update for Business @@ -20,12 +20,8 @@ ms.date: 06/01/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). +You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] >For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). @@ -40,83 +36,77 @@ By grouping devices with similar deferral periods, administrators are able to cl >In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft’s design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/). -## Configure devices for Current Branch (CB) or Current Branch for Business (CBB) -With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). + +## Configure devices for the appropriate service channel + +With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the Semi-Annual Channel servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). **Release branch policies** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | -| GPO for version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | -| MDM for version 1607 and above:
      ../Vendor/MSFT/Policy/Config/Update/
      **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | -| MDM for version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| GPO for Windows 10, version 1607 or later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\BranchReadinessLevel | +| GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgrade | +| MDM for Windows 10, version 1607 or later:
      ../Vendor/MSFT/Policy/Config/Update/
      **BranchReadinessLevel** | \Microsoft\PolicyManager\default\Update\BranchReadinessLevel | +| MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **RequireDeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | -Starting with version 1703, users are able to configure their device's branch readiness level, by going to **Settings > Update & security > Windows Update > Advanced options**. +Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**. ![Branch readiness level setting](images/waas-wufb-settings-branch.jpg) >[!NOTE] >Users will not be able to change this setting if it was configured by policy. ->[!IMPORTANT] ->Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). -## Configure when devices receive Feature Updates +## Configure when devices receive feature updates -After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. +After you configure the servicing branch (Windows Insider Preview or Semi-Annual Channel), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update. You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value. >[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. > ->You can only defer up to 180 days prior to version 1703. +>You can only defer up to 180 days on devices running Windows 10, version 1703. -**Examples** +For example, a device on the Semi-Annual Channel with `DeferFeatureUpdatesPeriodinDays=30` will not install a feature update that is first publicly available on Windows Update in September until 30 days later, in October. -| Settings | Scenario and behavior | -| --- | --- | -| Device is on CB
      DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Device will not receive update until February, 30 days later. | -| Device is on CBB
      DeferFeatureUpdatesPeriodinDays=30 | Feature Update X is first publically available on Windows Update as a CB in January. Four months later, in April, Feature Update X is released to CBB. Device will receive the Feature Update 30 days following this CBB release and will update in May. |

      -**Defer Feature Updates policies** +**Policy settings for deferring feature updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
      \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | -| GPO for version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | -| MDM for version 1607 and above:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | -| MDM for version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | +| GPO for Windows 10, version 1607 later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdates
      \Policies\Microsoft\Windows\WindowsUpdate\DeferFeatureUpdatesPeriodInDays | +| GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpgradePeriod | +| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferFeatureUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferFeatureUpdatesPeriodInDays | +| MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpgrade | >[!NOTE] ->If not configured by policy, users can defer feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can defer feature updates by using **Settings > Update & security > Windows Update > Advanced options**. -## Pause Feature Updates +## Pause feature updates -You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. +You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, you can then pause Feature Updates for the device again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. >[!IMPORTANT] ->This policy does not apply to Windows 10 Mobile Enterprise. > ->Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates. +>In Windows 10, version 1703 and later versions, you can pause feature updates to 35 days, similar to the number of days for quality updates. -**Pause Feature Updates policies** +**Policy settings for pausing feature updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
      **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | -| GPO for version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607 and above:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
      **1703:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | -| MDM for version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | +| GPO for Windows 10, version 1607 and later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Feature Updates are received** | **1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdates
      **1703 and later:** \Policies\Microsoft\Windows\WindowsUpdate\PauseFeatureUpdatesStartDate | +| GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | +| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates
      **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartDate | +| MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that Feature Updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect whether the Feature Update pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking Feature Updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -125,58 +115,58 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda | 2 | Feature Updates have auto-resumed after being paused | >[!NOTE] ->If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can pause feature updates by using **Settings > Update & security > Windows Update > Advanced options**. -With version 1703, pausing through the settings app will provide a more consistent experience: -- Any active restart notification are cleared or closed -- Any pending restarts are canceled -- Any pending update installations are canceled -- Any update installation running when pause is activated will attempt to rollback +Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: +- Any active restart notification are cleared or closed. +- Any pending restarts are canceled. +- Any pending update installations are canceled. +- Any update installation running when pause is activated will attempt to roll back. ## Configure when devices receive Quality Updates -Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. +Quality Updates are typically published on the first Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value. -You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When this is done, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. +You can set your system to receive updates for other Microsoft products—known as Microsoft Updates (such as Microsoft Office, Visual Studio)—along with Windows Updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft Updates will follow the same deferral and pause rules as all other Quality Updates. >[!IMPORTANT] >This policy defers both Feature and Quality Updates on Windows 10 Mobile Enterprise. -**Defer Quality Updates policies** +**Policy settings for deferring quality updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
      \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | -| GPO for version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | -| MDM for version 1607 and above:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | -| MDM for version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | +| GPO for Windows 10, version 1607 and later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** | \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdates
      \Policies\Microsoft\Windows\WindowsUpdate\DeferQualityUpdatesPeriodInDays | +| GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\DeferUpdatePeriod | +| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferQualityUpdatesPeriodInDays** | \Microsoft\PolicyManager\default\Update\DeferQualityUpdatesPeriodInDays | +| MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\RequireDeferUpdate | >[!NOTE] ->If not configured by policy, users can defer quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can defer quality updates by using **Settings > Update & security > Windows Update > Advanced options**. -## Pause Quality Updates +## Pause quality updates -You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the system will scan Windows Updates for applicable Quality Updates. Following this scan, Quality Updates for the device can then be paused again. +You can also pause a system from receiving Quality Updates for a period of up to 35 days from when the value is set. After 35 days has passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality Updates. Following this scan, you can then pause quality Updates for the device again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. +Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date. ->[!IMPORTANT] ->This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise. +>[!NOTE] +>Starting with Windows 10, version 1809, IT administrators can prevent individual users from pausing updates. -**Pause Quality Updates policies** +**Policy settings for pausing quality updates** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
      **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | -| GPO for version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | -| MDM for version 1607 and above:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
      **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | -| MDM for version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | +| GPO for Windows 10, version 1607 and later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Updates > **Select when Quality Updates are received** |**1607:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdates
      **1703:** \Policies\Microsoft\Windows\WindowsUpdate\PauseQualityUpdatesStartTime | +| GPO for Windows 10, version 1511:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Defer Upgrades and Updates** | \Policies\Microsoft\Windows\WindowsUpdate\Pause | +| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **PauseQualityUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdates
      **1703:** \Microsoft\PolicyManager\default\Update\PauseQualityUpdatesStartTime | +| MDM for Windows 10, version 1511:
      ../Vendor/MSFT/Policy/Config/Update/
      **DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause | -You can check the date that Quality Updates were paused at by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +You can check the date that quality Updates were paused by checking the registry key **PausedQualityDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Quality Update Pause period has expired. Although the device will resume Quality Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Quality Updates, you can check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect whether the quality Update pause period has expired. Although the device will resume quality Updates after 35 days automatically, the pause checkbox will remain selected in the policy editor. To check whether a device has automatically resumed taking quality Updates, check the status registry key **PausedQualityStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values: | Value | Status| | --- | --- | @@ -185,21 +175,22 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda | 2 | Quality Updates have auto-resumed after being paused | >[!NOTE] ->If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**. +>If not configured by policy, individual users can pause quality updates by using **Settings > Update & security > Windows Update > Advanced options**. -With version 1703, pausing through the settings app will provide a more consistent experience: +Starting with Windows 10, version 1703, using Settings to control the pause behavior provides a more consistent experience, specifically: - Any active restart notification are cleared or closed - Any pending restarts are canceled - Any pending update installations are canceled - Any update installation running when pause is activated will attempt to rollback -## Configure when devices receive Windows Insider preview builds +## Configure when devices receive Windows Insider Preview builds Starting with Windows 10, version 1709, you can set policies to manage preview builds and their delivery: The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* * MDM: **Update/ManagePreviewBuilds** +* System Center Configuration Manager: **Enable dual scan, manage through Windows Update for Business policy** >[!IMPORTANT] >This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: @@ -212,18 +203,18 @@ The policy settings to **Select when Feature Updates are received** allows you t ## Exclude drivers from Quality Updates -In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete. +Starting with Windows 10, version 1607, you can selectively opt out of receiving driver update packages as part of your normal quality update cycle. This policy will not apply to updates to drivers provided with the operating system (which will be packaged within a security or critical update) or to Feature Updates, where drivers might be dynamically installed to ensure the Feature Update process can complete. -**Exclude driver policies** +**Policy settings to exclude drivers** | Policy | Sets registry key under **HKLM\Software** | | --- | --- | -| GPO for version 1607 and above:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | -| MDM for version 1607 and above:
      ../Vendor/MSFT/Policy/Config/Update/
      **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | +| GPO for Windows 10, version 1607 and later:
      Computer Configuration > Administrative Templates > Windows Components > Windows Update > **Do not include drivers with Windows Updates** | \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| MDM for Windows 10, version 1607 and later:
      ../Vendor/MSFT/Policy/Config/Update/
      **ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate | -## Summary: MDM and Group Policy for version 1703 +## Summary: MDM and Group Policy settings for Windows 10, version 1703 and later -Below are quick-reference tables of the supported Windows Update for Business policy values for Windows 10, version 1607 and above. +The following are quick-reference tables of the supported policy values for Windows Update for Business in Windows 10, version 1607 and later. **GPO: HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate** @@ -252,25 +243,14 @@ Below are quick-reference tables of the supported Windows Update for Business po ## Update devices to newer versions -Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. +Due to the changes in Windows Update for Business, Windows 10, version 1607 uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703 also uses a few GPO and MDM keys that are different from those available in version 1607. However, Windows Update for Business devices running older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator. ### How older version policies are respected on newer versions -When a client running a newer version sees an update available on Windows Update, the client will first evaluate and execute against the Windows Updates for Business policy keys for it's version. If these are not present, it will then check to see if any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. +When a device running a newer version sees an update available on Windows Update, the device first evaluates and executes the Windows Updates for Business policy keys for its current (newer) version. If these are not present, it then checks whether any of the older version keys are set and defer accordingly. Update keys for newer versions will always supersede the older equivalent. -### Comparing the version 1511 keys to the version 1607 keys -In the Windows Update for Business policies in version 1511, all the deferral rules were grouped under a single policy where pausing affected both upgrades and updates. In Windows 10, version 1607, this functionality has been broken out into separate polices: deferral of Feature and Quality Updates can be enabled and paused independently of one other. - -
      TopicDescription
      [Overview of Windows Autopilot](windows-autopilot/windows-10-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
      [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md) Windows Autopilot deployment is a new cloud service from Microsoft that provides a zero touch experience for deploying Windows 10 devices.
      [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md) This topic provides information about support for upgrading directly to Windows 10 from a previous operating system.
      [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md) This topic provides information about support for upgrading from one edition of Windows 10 to another.
      [Windows 10 volume license media](windows-10-media.md) This topic provides information about media available in the Microsoft Volume Licensing Service Center.
      - -
      Group Policy keys
      Version 1511 GPO keysVersion 1607 GPO keys
      **DeferUpgrade**: *enable/disable*
      Enabling allows user to set deferral periods for upgrades and updates. It also puts the device on CBB (no ability to defer updates while on the CB branch).

      **DeferUpgradePeriod**: *0 - 8 months*

      **DeferUpdatePeriod**: *1 – 4 weeks*

      **Pause**: *enable/disable*
      Enabling will pause both upgrades and updates for a max of 35 days
      		**DeferFeatureUpdates**: *enable/disable*

      **BranchReadinessLevel**
      Set device on CB or CBB

      **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

      **PauseFeatureUpdates**: *enable/disable*
      Enabling will pause Feature updates for a max of 60 days

      **DeferQualityUpdates**: *Enable/disable*

      **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

      **PauseQualityUpdates**: *enable/disable*
      Enabling will pause Quality updates for a max of 35 days

      **ExcludeWUDrivers**: *enable/disable*
      - - - -
      MDM keys
      Version 1511 MDM keysVersion 1607 MDM keys
      **RequireDeferUpgade**: *bool*
      Puts the device on CBB (no ability to defer updates while on the CB branch).

      **DeferUpgradePeriod**: *0 - 8 months*

      **DeferUpdatePeriod**: *1 – 4 weeks*

      **PauseDeferrals**: *bool*
      Enabling will pause both upgrades and updates for a max of 35 days
      		**BranchReadinessLevel**
      Set system on CB or CBB

      **DeferFeatureUpdatesPeriodinDays**: *1 - 180 days*

      **PauseFeatureUpdates**: *enable/disable*
      Enabling will pause Feature updates for a max of 60 days

      **DeferQualityUpdatesPeriodinDays**: *0 - 35 days*

      **PauseQualityUpdates**: *enable/disable*
      Enabling will pause Quality updates for a max of 35 days

      **ExcludeWUDriversInQualityUpdate**: *enable/disable*
      - -### Comparing the version 1607 keys to the version 1703 keys +### Comparing keys in Windows 10, version 1607 to Windows 10, version 1703 | Version 1607 key | Version 1703 key | | --- | --- | diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md index d2ea74fd39..9897eb371d 100644 --- a/windows/deployment/update/waas-integrate-wufb.md +++ b/windows/deployment/update/waas-integrate-wufb.md @@ -90,7 +90,7 @@ For Windows 10, version 1607, organizations already managing their systems with ![Example of unknown devices](images/wufb-sccm.png) -For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/en-us/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). +For more information, see [Integration with Windows Update for Business in Windows 10](https://docs.microsoft.com/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10). ## Related topics diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index b726f5ba97..4df6cd83e0 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -7,7 +7,7 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 06/01/2018 +ms.date: 11/16/2018 --- # Deploy updates using Windows Update for Business @@ -20,12 +20,9 @@ ms.date: 06/01/2018 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) ->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products. -> ->In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. + +Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined devices. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. Specifically, Windows Update for Business allows for: @@ -35,7 +32,7 @@ Specifically, Windows Update for Business allows for: - Peer-to-peer delivery for Microsoft updates, which optimizes bandwidth efficiency and reduces the need for an on-site server caching solution. - Control over diagnostic data level to provide reporting and insights in Windows Analytics. -Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education. +Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro Education, and Education editions. >[!NOTE] >See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10. @@ -48,79 +45,70 @@ Windows Update for Business provides three types of updates to Windows 10 device - **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates. - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred. -Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. +Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business. Deferrals work by allowing you to specify the number of days after an update is released before it is offered to a device (if you set a deferral period of 365 days, the update will not be offered until 365 days after that update was released). -| Category | Maximum deferral | Deferral increments | Example | Classification GUID | +| Category | Maximum deferral | Deferral increments | Example | WSUS classification GUID | | --- | --- | --- | --- | --- | -| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days
      In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 | -| Quality Updates | 30 days | Days | Security updates
      Drivers (optional)
      Non-security updates
      Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441
      EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
      CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
      varies | +| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days.
      From Windows 10, version 1703 to version 1809, the maximum is 365 days. | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 | +| Quality Updates | 30 days | Days | Security updates
      Drivers (optional)
      Non-security updates
      Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441

      EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0

      CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83

      varies | | Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B | >[!NOTE] ->For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx). +>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/library/ff357803.aspx). -## Changes to Windows Update for Business in Windows 10, version 1709 +## Windows Update for Business in various Windows 10 versions -The group policy path for Windows Update for Business was changed to correctly reflect its association to Windows Update for Business. +Windows Update for Business was first available in Windows 10, version 1511. This diagram lists new or changed capabilities and updated behavior in subsequent versions. -| Prior to Windows 10, version 1709 | Windows 10, version 1709 | -| --- | --- | -| Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | -We have added the ability to manage Windows Insider preview builds and their delivery: +| Windows 10, version 1511 | 1607 | 1703 | 1709 | 1803 | 1809 | +| --- | --- | --- | --- | --- | --- | +| Defer quality updates
      Defer feature updates
      Pause updates | All 1511 features, plus: **WSUS integration** | All 1607 features, plus **Settings controls** | All 1703 features, plus **Ability to set slow vs. fast Insider Preview branch** | All 1709 features, plus **Uninstall updates remotely** | All 1803 features, plus **Option to use default automatic updates**
      **Ability to set separate deadlines for feature vs. quality updates**
      **Admins can prevent users from pausing updates** +## Managing Windows Update for Business with Group Policy -The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* -* MDM: **Update/ManagePreviewBuilds** +The group policy path for Windows Update for Business has changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage pre-release Windows Insider Preview builds in Windows 10, version 1709. ->[!IMPORTANT] ->This policy replaces the "Toggle user control over Insider builds" policy under that is only supported up to Windows 10, version 1703. You can find the older policy here: ->* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds** ->* MDM: **System/AllowBuildPreview** +| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | +| --- | --- | --- | +| Set Windows Update for Business Policies | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Defer Windows Update | Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business | +| Manage Windows Insider Preview builds | Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds/Toggle user control over Insider builds | Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business - *Manage preview builds* | +| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received
      (Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business - **Select when Preview Builds and Feature Updates are received**) | -The policy settings to **Select when Feature Updates are received** is now called **Select when Preview Builds and Feature Updates are received**. In addition to previous functionality, it now allows you to choose between preview flight rings, and allows you to defer or pause their delivery. -* Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/ Windows Update for Business** - *Select when Preview Builds and Feature Updates are received* -* MDM: **Update/BranchReadinessLevel** +## Managing Windows Update for Business with MDM -## Changes to Windows Update for Business in Windows 10, version 1703 +Starting with Windows 10, version 1709, Windows Update for Business was changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709. -### Options added to Settings +| Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | +| --- | --- | --- | +| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds | +| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) | -We have added a few controls into settings to allow users to control Windows Update for Business through an interface. -- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options** -- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options** +## Managing Windows Update for Business with Software Center Configuration Manager -### Adjusted time periods +Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager. -We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively. +| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 | +| --- | --- | --- | +| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager | -We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously. +## Managing Windows Update for Business with Windows Settings options +Windows Settings includes options to control certain Windows Update for Business features: -### Additional changes +- [Configure the readiness level](waas-configure-wufb.md#configure-devices-for-the-appropriate-service-channel) for a branch by using **Settings > Update & security > Windows Update > Advanced options** +- [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) by using Settings > Update & security > Window Update > Advanced options -The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys). +## Other changes in Windows Update for Business in Windows 10, version 1703 and later releases -## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607 -Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior. +### Pause and deferral periods ->[!NOTE] ->For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels). +The maximum pause time period is 35 days for both quality and feature updates. The maximum deferral period for feature updates is 365 days. - - - - - - - - - - - -
      CapabilityWindows 10, version 1511Windows 10, version 1607

      Select servicing options: CB or CBB

      Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)

      Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).

      Quality Updates

      Able to defer receiving Quality Updates:

      • Up to 4 weeks
      • In weekly increments

      Able to defer receiving Quality Updates:

      • Up to 30 days
      • In daily increments

      Feature Updates

      Able to defer receiving Feature Updates:

      • Up to 8 months
      • In monthly increments

      Able to defer receiving Feature Updates:

      • Up to 180 days
      • In daily increments

      Pause updates

      • Feature Updates and Quality Updates paused together
      • Maximum of 35 days

      Features and Quality Updates can be paused separately.

      • Feature Updates: maximum 60 days
      • Quality Updates: maximum 35 days

      Drivers

      No driver-specific controls

      Drivers can be selectively excluded from Windows Update for Business.

      +Also, the pause period is calculated from the set start date. For more details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). As a result, certain policy keys have different names; see the "Comparing keys in Windows 10, version 1607 to Windows 10, version 1703" section in [Configure Windows Update for Business](waas-configure-wufb.md) for details. -## Monitor Windows Updates using Update Compliance + + +## Monitor Windows Updates by using Update Compliance Update Compliance, now **available in public preview**, provides a holistic view of OS update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This new service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without additional infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated. diff --git a/windows/deployment/update/waas-morenews.md b/windows/deployment/update/waas-morenews.md new file mode 100644 index 0000000000..a8a889c72c --- /dev/null +++ b/windows/deployment/update/waas-morenews.md @@ -0,0 +1,19 @@ +--- +title: Windows as a service +ms.prod: w10 +ms.topic: article +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/19/2018 +ms.localizationpriority: high +--- +# Windows as a service - More news + +Here's more news about [Windows as a service](windows-as-a-service.md): + + \ No newline at end of file diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md index 831d0da5ff..70cba0bcec 100644 --- a/windows/deployment/update/waas-optimize-windows-10-updates.md +++ b/windows/deployment/update/waas-optimize-windows-10-updates.md @@ -7,7 +7,7 @@ ms.sitesec: library author: DaniHalfin ms.localizationpriority: medium ms.author: daniha -ms.date: 07/27/2017 +ms.date: 09/24/2018 --- # Optimize Windows 10 update delivery @@ -38,7 +38,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10. | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager | | --- | --- | --- | --- | --- | -| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | +| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | | BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) | >[!NOTE] @@ -54,7 +54,7 @@ Windows 10 quality update downloads can be large because every package contains >Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business. ### How Microsoft supports Express -- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or 1607 with the April 2017 cumulative update. +- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager and Windows 10, version 1703 or later, or Windows 10, version 1607 with the April 2017 cumulative update. - **Express on WSUS Standalone** Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx). diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 9b07031bb6..3e82500cc3 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -8,7 +8,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 09/07/2018 +ms.date: 09/24/2018 --- # Overview of Windows as a service @@ -74,7 +74,7 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC). >[!IMPORTANT] ->With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). +>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For more information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747). >[!NOTE] >For additional information, see the section about [Servicing Channels](#servicing-channels). @@ -121,7 +121,12 @@ Once the latest release went through pilot deployment and testing, you choose th When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools). -Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release + +Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release. + +>[!NOTE] +All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle. + >[!NOTE] >Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools. diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index bb2378b3a9..ed003254cc 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -8,7 +8,7 @@ ms.sitesec: library author: Jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 05/29/2018 +ms.date: 10/17/2018 --- # Quick guide to Windows as a service @@ -35,6 +35,8 @@ Some new terms have been introduced as part of Windows as a service, so you shou See [Overview of Windows as a service](waas-overview.md) for more information. +For some interesting in-depth information about how cumulative updates work, see [Windows Updates using forward and reverse differentials](PSFxWhitepaper.md). + ## Key Concepts Windows 10 gains new functionality with twice-per-year feature update releases. Initially, organizations will use these feature update releases for pilot deployments to ensure compatibility with existing apps and infrastructure. After a period of time, typically about four months after the feature update release, broad deployment throughout the organization can begin. The exact timeframe is determined by feedback from customers, ISVs, OEMs, and others, with an explicit "ready for broad deployment" declaration signaling this to customers. diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md new file mode 100644 index 0000000000..cb55ad0bc9 --- /dev/null +++ b/windows/deployment/update/waas-servicing-differences.md @@ -0,0 +1,106 @@ +--- +title: Servicing differences between Windows 10 and older operating systems +description: Learn the differences between servicing Windows 10 and servicing older operating systems. +keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +author: KarenSimWindows +ms.localizationpriority: medium +ms.author: karensim +ms.date: 11/09/2018 +--- +# Understanding the differences between servicing Windows 10-era and legacy Windows operating systems + +>Applies to: Windows 10 + +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. + +The following provides an initial overview of how updating client and server differs between the Windows 10-era operating systems (such as Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). + +>[!NOTE] +> A note on naming convention in this article: For brevity, "Windows 10" refers to all operating systems across client, server and IoT released since July 2015, while "legacy" refers to all operating systems prior to that period for client and server, including Windows 7, Window 8.1, Windows Server 2008 R2, Windows Server 2012 R2, etc. + +## Infinite fragmentation +Prior to Windows 10, all updates to operating system (OS) components were published individually. On "Update Tuesday," customers would pick and choose individual updates they wanted to apply. Most chose to update security fixes, while far fewer selected non-security fixes, updated drivers, or installed .NET Framework updates. + +As a result, each environment with the global Windows ecosystem that had only a subset of security and non-security fixes installed had a different set of binaries and behaviors than those that consistently installed every available update as tested by Microsoft. + +This resulted in a fragmented ecosystem that created diverse challenges in predictively testing interoperability, resulting in high update failure rates - which were subsequently mitigated by customers removing individual updates that were causing issues. Each customer that selectively removed individual updates amplified this fragmentation by creating more diverse environment permutations across the ecosystem. As an IT Administrator once quipped, "If you’ve seen one Windows 7 PC, you have seen one Windows 7 PC," suggesting no consistency or predictability across more than 250M commercial devices at the time. + +## Windows 10 – Next generation +Windows 10 provided an opportunity to end the era of infinite fragmentation. With Windows 10 and the Windows as a service model, updates came rolled together in the "latest cumulative update" (LCU) packages for both client and server. Every new update published includes all changes from previous updates, as well as new fixes. Since Windows client and server share the same code base, these LCUs This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. + +Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update. + +![Servicing cadence](images/servicing-cadence.png) + +Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each. + +This cumulative update model for Windows 10 has helped provide the Windows ecosystem with consistent update experiences that can be predicted by baseline testing before release. Even with highly complex updates with hundreds of fixes, the number of incidents with monthly security updates for Windows 10 have fallen month over month since the initial release of Windows 10. + +### Points to consider + +- Windows 10 does not have the concept of a Security-Only or Monthly Rollup for updates. All updates are an LCU package, which includes the last release plus anything new. +- Windows 10 no longer has the concept of a "hotfix" since all individual updates must be rolled into the cumulative packages. (Note: Any private fix is offered for customer validation only, and then rolled into an LCU.) +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model. +- For Windows 10, available update types vary by publishing channel: + - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates. + - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this [example](https://support.microsoft.com/help/4132650/servicing-stack-update-for-windows-10-version-1709-may-21-2018) for Windows 10, version 1709). For more information on Servicing Stack Updates, please see this [blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434). + - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date. +- Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section). + +## Windows 7 and legacy OS versions +While Windows 10 updates could have been controlled as cumulative from "Day 1," the legacy OS ecosystem for both client and server was highly fragmented. Recognizing the challenges of update quality in a fragmented environment, we moved Windows 7 to a cumulative update model in October 2016. + +Customers saw the LCU model used for Windows 10 as having packages that were too large and represented too much of a change for legacy operating systems, so a different model was implemented. Windows instead offered two cumulative package types for all legacy operating systems: Monthly Rollups and Security-only updates. + +The Monthly Rollup includes new non-security, security updates, Internet Explorer (IE) updates, and all updates from the previous month, similar to the Windows 10 model. The Security-only package includes new security updates and all security updates from the previous month. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10. + +Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments have fully updated machines, which means that the baseline against which all legacy OS version updates are tested include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously. + +### Points to consider +- Windows 7 and Windows 8 legacy operating system updates [moved from individual to cumulative in October 2016](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783). Devices with updates missing prior to that point are still missing those updates, as they were not included in the subsequent cumulative packages. +- "Hotfixes" are no longer published for legacy OS versions. All updates are rolled into the appropriate package depending on their classification as either non-security, security, or Internet Explorer updates. (Note: any private fix is offered for customer validation only. Once validated they are then rolled into a Monthly Rollup or IE cumulative update, as appropriate.) +- Both Monthly Rollups and Security-only updates released on Update Tuesday for legacy OS versions are identified as "security, critical" updates, because both have the full set of security updates in them. The Monthly Rollup has additional non-security updates that are not included in the Security Only update. The "security" classification requires the device be rebooted so the update can be fully installed. +- Despite the cumulative nature of both Monthly Rollups and Security-only updates, switching between these update types is not advised. Small differences in the baselines of these packages may result in installation errors and conflicts. Choosing one and staying on that update type – Monthly Rollup or Security-only – is recommended. +- In [February 2017](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798), Windows pulled IE updates out of the legacy OS versions Security-only updates, while leaving them in the Monthly Rollup updates. This was done specifically to reduce package size based on customer feedback. +- The IE cumulative update includes both security and non-security updates and is also needed for to help secure the entire environment. This update can be installed separately or as part of the Monthly Rollup. +- [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in legacy Monthly Rollup or Security Only packages. They are separate packages with different behaviors depending on the version of the .NET Framework, and which legacy OS, being updated. +- For [Windows Server 2008 SP2](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/), cumulative updates began in October 2018, and follow the same model as Windows 7. Updates for IE9 are included in those packages, as the last supported version of Internet Explorer for that Legacy OS version. + +## Public preview releases +Lastly, the cumulative update model directly impacts the public Preview releases offered in the 3rd and/or 4th weeks of the month. Update Tuesday, also referred to as the "B" week release occurs on the second Tuesday of the month. It is always a required security update across all operating systems. In addition to this monthly release, Windows also releases non-security update "previews" targeting the 3rd (C) and the 4th (D) weeks of the month. These preview releases include that month’s B-release plus a set of non-security updates for testing and validation as a cumulative package. We recommend IT Administrators uses the C/D previews to test the update in their environments. Any issues identified with the updates in the C/D releases are identified and then fixed or removed, prior to being rolled up in to the next month’s B release package together with new security updates. + +### Examples +Windows 10 version 1709: + +- (9B) September 11, 2018 Update Tuesday / B release - includes security, non-security and IE update. This update is categorized as "Required, Security" it requires a system reboot. +- (9C) September 26, 2018 Preview C release - includes everything from 9B PLUS some non-security updates for testing/validation. This update is qualified as not required, non-security. No system reboot is required. +- (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot. + +All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. + +![Servicing preview releases](images/servicing-previews.png) + +### Previews vs. on-demand releases +In 2018, we experienced incidents that required urgent remediation that didn’t map to the monthly update release cadence. These incidents were situations that required an immediate fix to an Update Tuesday release. While Windows engineering worked aggressively to respond within a week of the B-release, these "on-demand" releases created confusion with the C Preview releases. + +#### Points to consider: +- When Windows identifies an issue with a Update Tuesday release, engineering teams work to remediate or fix the issue as quickly as possible. The outcome is often a new update which may be released at any time, including during the 3rd or 4th week of the month. Such updates are independent of the regularly scheduled "C" and "D" update previews. These updates are created on-demand to remediate a customer impacting issue. In most cases they are qualified as a "non-security" update, and do not require a system reboot. +- With the new Windows Update (WU) architecture, updates can be targeted to affected devices. This targeting is not available through the Update Catalog or WSUS channels, however. +- On-demand releases address a specific issue with an Update Tuesday release and are often qualified as "non-security" for one of two reasons. First, the fix may not be an additional security fix, but a non-security change to the update. Second, the "non-security" designation allows individuals or companies to choose when and how to reboot the devices, rather than forcing a system reboot on all Windows devices receiving the update globally. This trade-off is rarely a difficult choice as it has the potential to impact customer experience across client and server, across consumer and commercial customers for more than one billion devices. +- Because the cumulative model is used across Window 10 and legacy Windows OS versions, despite variations between these OS versions, an out of band release will include all of the changes from the Update Tuesday release plus the fix that addresses the issue. And since Windows no longer releases hotfixes, everything is cumulative in some way. + +In closing, I hope this overview of the update model across current and legacy Windows OS versions highlights the benefits of the Windows 10 cumulative update model to help defragment the Windows ecosystem environments, simplify servicing and help make systems more secure. + + +## Resources +- [Simplifying updates for Windows 7 and 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplifying-updates-for-Windows-7-and-8-1/ba-p/166530) +- [Further simplifying servicing models for Windows 7 and Windows 8.1](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Further-simplifying-servicing-models-for-Windows-7-and-Windows-8/ba-p/166772) +- [More on Windows 7 and Windows 8.1 servicing changes](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/More-on-Windows-7-and-Windows-8-1-servicing-changes/ba-p/166783) +- [.NET Framework Monthly Rollups Explained](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) +- [Simplified servicing for Windows 7 and Windows 8.1: the latest improvements](https://techcommunity.microsoft.com/t5/Windows-Blog-Archive/Simplified-servicing-for-Windows-7-and-Windows-8-1-the-latest/ba-p/166798) +- [Windows Server 2008 SP2 servicing changes](https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/) +- [Windows 10 update servicing cadence](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376) +- [Windows 7 servicing stack updates: managing change and appreciating cumulative updates](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434) diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index 668d342d72..6041f964a6 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -4,10 +4,10 @@ description: A strong Windows 10 deployment strategy begins with establishing a ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: DaniHalfin +author: Jaimeo ms.localizationpriority: medium -ms.author: daniha -ms.date: 07/27/2017 +ms.author: jaimeo +ms.date: 11/02/2018 --- # Prepare servicing strategy for Windows 10 updates @@ -20,17 +20,17 @@ ms.date: 07/27/2017 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. Figure 1 shows the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. +In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has completely changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years. -**Figure 1** ![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png) Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: -- **Configure test devices.** Configure testing PCs in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-annual Channel. Typically, this would be a small number of test machines that IT staff members use to evaluate prereleased builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. -- **Identify excluded PCs.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these PCs, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. +- **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. +- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or System Center Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 2142d3ee8f..49a13d74fc 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -28,9 +28,16 @@ Using Group Policy to manage Windows Update for Business is simple and familiar: In Windows 10 version 1511, only Current Branch for Business (CBB) upgrades could be delayed, restricting the Current Branch (CB) builds to a single deployment ring. Windows 10 version 1607, however, has a new Group Policy setting that allows you to delay feature updates for both CB and CBB, broadening the use of the CB servicing branch. ->[!NOTE] +>[!NOTES] >The terms *feature updates* and *quality updates* in Windows 10, version 1607, correspond to the terms *upgrades* and *updates* in version 1511. +>To follow the instructions in this article, you will need to download and install the relevant ADMX templates for your Windows 10 version. +>See the following articles for instructions on the ADMX templates in your environment. + +> - [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759) +> - [Step-By-Step: Managing Windows 10 with Administrative templates](https://blogs.technet.microsoft.com/canitpro/2015/10/20/step-by-step-managing-windows-10-with-administrative-templates/) + + To use Group Policy to manage quality and feature updates in your environment, you must first create Active Directory security groups that align with your constructed deployment rings. Most customers have many deployment rings already in place in their environment, and these rings likely align with existing phased rollouts of current patches and operating system upgrades. ## Configure Windows Update for Business in Windows 10 version 1511 @@ -341,7 +348,7 @@ The **Ring 4 Broad business users** deployment ring has now been configured. Fin ## Known issues The following article describes the known challenges that can occur when you manage a Windows 10 Group policy client base: -- [Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv) +- [Known issues managing a Windows 10 Group Policy client in Windows Server 2012 R2](https://support.microsoft.com/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv) ## Related topics diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md index df5ea1250d..7b60f589cb 100644 --- a/windows/deployment/update/waas-wufb-intune.md +++ b/windows/deployment/update/waas-wufb-intune.md @@ -32,7 +32,7 @@ Windows Update for Business in Windows 10 version 1511 allows you to delay quali To use Intune to manage quality and feature updates in your environment, you must first create computer groups that align with your constructed deployment rings. >[!NOTE] ->Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/en-us/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) +>Coming soon: [Intune Groups will be converted to Azure Active Directory-based Security Groups](https://docs.microsoft.com/intune/deploy-use/use-groups-to-manage-users-and-devices-with-microsoft-intune) ## Configure Windows Update for Business in Windows 10, version 1511 diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index 325a6a229a..bf0ebdf02d 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/29/2018 ms.localizationpriority: medium --- @@ -33,10 +33,14 @@ If you've followed the steps in the [Enrolling devices in Windows Analytics](win [Upgrade Readiness shows many "Computers with outdated KB"](#upgrade-readiness-shows-many-computers-with-outdated-kb) +[Upgrade Readiness shows many "Computers with incomplete data"](#upgrade-readiness-shows-many-computers-with-incomplete-data) + [Upgrade Readiness doesn't show app inventory data on some devices](#upgrade-readiness-doesnt-show-app-inventory-data-on-some-devices) [Upgrade Readiness doesn't show IE site discovery data from some devices](#upgrade-readiness-doesnt-show-ie-site-discovery-data-from-some-devices) +[Device names not appearing for Windows 10 devices](#device-names-not-appearing-for-windows-10-devices) + [Disable Upgrade Readiness](#disable-upgrade-readiness) [Exporting large data sets](#exporting-large-data-sets) @@ -101,7 +105,7 @@ If you know that devices are experiencing stop error crashes that do not seem to [![Event viewer detail showing Event 1001 details](images/event_1001.png)](images/event_1001.png) - You can use the following Windows PowerShell snippet to summarize recent occurences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). + You can use the following Windows PowerShell snippet to summarize recent occurrences of Event 1001. Most events should have a value for BucketID (a few intermittent blank values are OK, however). ```powershell $limitToMostRecentNEvents = 20 @@ -191,7 +195,7 @@ Finally, Upgrade Readiness only collects IE site discovery data on devices that >[!NOTE] > IE site discovery is disabled on devices running Windows 7 and Windows 8.1 that are in Switzerland and EU countries. -### Device Names don't show up on Windows 10 devices +### Device names not appearing for Windows 10 devices Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). ### Disable Upgrade Readiness @@ -256,4 +260,4 @@ Currently, you can choose the criteria you wish to use: - To use the Upgrade Readiness criteria, export the list of ready-to-upgrade devices from the corresponding Upgrade Readiness report, and then build the SCCM collection from that spreadsheet. ### How does Upgrade Readiness collect the inventory of devices and applications? -For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. \ No newline at end of file +For details about this process and some tips, see [How does Upgrade Readiness in WA collects application inventory for your OMS workspace?](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/How-does-Upgrade-Readiness-in-WA-collects-application-inventory/ba-p/213586) on the Windows Analytics blog. diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md index 34fd777734..2a37f7db2f 100644 --- a/windows/deployment/update/windows-analytics-azure-portal.md +++ b/windows/deployment/update/windows-analytics-azure-portal.md @@ -5,7 +5,7 @@ keywords: Device Health, oms, Azure, portal, operations management suite, add, m ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 09/12/2018 +ms.date: 10/05/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -26,16 +26,21 @@ Go to the [Azure portal](https://portal.azure.com), select **All services**, and ### Permissions +It's important to understand the difference between Azure Active Directory and an Azure subscription: + +**Azure Active Directory** is the directory that Azure uses. Azure Active Directory (AD) is a separate service which sits by itself and is used by all of Azure and also Office 365. + +An **Azure subscription** is a container for billing, but also acts as a security boundary. Every Azure subscription has a trust relationship with at least one Azure AD instance. This means that a subscription trusts that directory to authenticate users, services, and devices. + + >[!IMPORTANT] ->Unlike the OMS portal, the Azure portal requires access to both an Azure Log Analytics subscription and a linked Azure subscription. +>Unlike the OMS portal (which only requires permission to access the Azure Log Analytics workspace), the Azure portal also requires access to be configured to either the linked *Azure subscription* or Azure resource group. To check the Log Analytics workspaces you can access, select **Log Analytics**. You should see a grid control listing all workspaces, along with the Azure subscription each is linked to: [![Log Analytics workspace page showing accessible workspaces and linked Azure subscriptions](images/azure-portal-LAmain-wkspc-subname-sterile.png)](images/azure-portal-LAmain-wkspc-subname-sterile.png) -If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**. - -The Azure subscription requires at least "Log Analytics Reader" permission. Making changes (for example, to set app importance in Upgrade Readiness) requires "Log Analytics Contributor" permission. You can view your current role and make changes in other roles by using the Access control (IAM) tab in Azure. These permissions will be inherited by Azure Log Analytics. +If you do not see your workspace in this view, but you are able to access the workspace from the classic portal, that means you do not have access to the workspace's Azure subscription or resource group. To remedy this, you will need to find someone with admin rights to grant you access, which they can do by selecting the subscription name and selecting **Access control (IAM)** (alternatively they can configure your access at the resource group level). They should either grant you "Log Analytics Reader" access (for read-only access) or "Log Analytics Contributor" access (which enables making changes such as creating deployment plans and changing application readiness states). When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page. @@ -60,4 +65,4 @@ From there, select the settings page to adjust specific settings: [![Settings page for Upgrade Readiness in Azure portsl](images/azure-portal-UR-settings.png)](images/azure-portal-UR-settings.png) >[!NOTE] ->To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. \ No newline at end of file +>To adjust these settings, both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure. diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 294030a5a5..1ea7a5532f 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 08/01/2018 +ms.date: 11/01/2018 ms.localizationpriority: medium --- @@ -41,24 +41,31 @@ Microsoft uses a unique commercial ID to map information from user computers to ## Enable data sharing -To enable data sharing, configure your proxy sever to whitelist the following endpoints. You might need to get approval from your security group to do this. +To enable data sharing, configure your proxy server to whitelist the following endpoints. You might need to get approval from your security group to do this. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| -| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803| +|`https://ceuswatcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://ceuswatcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://eaus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://eaus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://weus2watcab01.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://weus2watcab02.blob.core.windows.net` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports in Windows 10, version 1809 or later. Not used by Upgrade Readiness. | +| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with devices runningrunning Windows 10, version 1703 or later **that also have the 2018-09 Cumulative Update (KB4458469, KB4457136, KB4457141) or later installed** | +| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803 *without* the 2018-09 Cumulative Update installed | | `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier | | `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 | -| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. +| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft. | | `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. | | `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | | `https://oca.telemetry.microsoft.com` | Online Crash Analysis; required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. | -| `https://login.live.com` | Windows Error Reporting (WER); required by Device Health. **Note:** WER does *not* use login.live.com to access Microsoft Account consumer services such as Xbox Live. WER uses an anti-spoofing API at that address to enhance the integrity of error reports. | -| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | -| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity. | +| `https://login.live.com` | This endpoint is required by Device Health to ensure data integrity and provides a more reliable device identity for all of the Windows Analytics solutions on Windows 10. If you want to disable end-user managed service account (MSA) access, you should apply the appropriate [policy](https://docs.microsoft.com/windows/security/identity-protection/access-control/microsoft-accounts#block-all-consumer-microsoft-account-user-authentication) instead of blocking this endpoint. | +| `https://www.msftncsi.com` | Windows Error Reporting (WER); required for Device Health to check connectivity | +| `https://www.msftconnecttest.com` | Windows Error Reporting (WER); required for Device Health to check connectivity | >[!NOTE] ->Proxy authentation and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options. +>Proxy authentication and SSL inspections are frequent challenges for enterprises. See the following sections for configuration options. ### Configuring endpoint access with SSL inspection To ensure privacy and data integrity Windows checks for a Microsoft SSL certificate when communicating with the diagnostic data endpoints. Accordingly SSL interception and inspection is not possible. To use Windows Analytics services you should exclude the above endpoints from SSL inspection. @@ -76,10 +83,12 @@ The compatibility update scans your devices and enables application usage tracki | **Operating System** | **Updates** | |----------------------|-----------------------------------------------------------------------------| -| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cummulative updates. | +| Windows 10 | Windows 10 includes the compatibility update, so you will automatically have the latest compatibility update so long as you continue to keep your Windows 10 devices up-to-date with cumulative updates. | | Windows 8.1 | [KB 2976978](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
      Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
      For more information about this update, see | | Windows 7 SP1 | [KB2952664](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
      Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
      For more information about this update, see | +We also recommend installing the latest [Windows Monthly Rollup](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup) on Windows 7 and Windows 8.1 devices. + >[!IMPORTANT] >Restart devices after you install the compatibility updates for the first time. diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md index 04358b5b05..1c5817f29c 100644 --- a/windows/deployment/update/windows-analytics-privacy.md +++ b/windows/deployment/update/windows-analytics-privacy.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 07/02/2018 +ms.date: 12/11/2018 ms.localizationpriority: high --- @@ -17,7 +17,7 @@ ms.localizationpriority: high Windows Analytics is fully committed to privacy, centering on these tenets: - **Transparency:** We fully document the Windows Analytics diagnostic events (see the links for additional information) so you can review them with your company’s security and compliance teams. The Diagnostic Data Viewer lets you see diagnostic data sent from a given device (see [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) for details). -- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics +- **Control:** You ultimately control the level of diagnostic data you wish to share. In Windows 10, version 1709 we added a new policy to Limit enhanced diagnostic data to the minimum required by Windows Analytics - **Security:** Your data is protected with strong security and encryption - **Trust:** Windows Analytics supports the Microsoft Online Service Terms @@ -39,8 +39,11 @@ See these topics for additional background information about related privacy iss - [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance) - [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization) -- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) (link downloads a PDF file) -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965) +- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809) +- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803) +- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709) +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703) - [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/configuration/enhanced-diagnostic-data-windows-analytics-events-and-fields) - [Diagnostic Data Viewer Overview](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) - [Licensing Terms and Documentation](https://www.microsoftvolumelicensing.com/DocumentSearch.aspx?Mode=3&DocumentTypeId=31) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md new file mode 100644 index 0000000000..de4b23511b --- /dev/null +++ b/windows/deployment/update/windows-as-a-service.md @@ -0,0 +1,137 @@ +--- +title: Windows as a service +ms.prod: windows-10 +layout: LandingPage +ms.topic: landing-page +ms.manager: elizapo +author: lizap +ms.author: elizapo +ms.date: 12/19/2018 +ms.localizationpriority: high +--- +# Windows as a service + +Find the tools and resources you need to help deploy and support Windows as a service in your organization. + +## Latest news, videos, & podcasts + +Find the latest and greatest news on Windows 10 deployment and servicing. + +**Windows 10 monthly updates** +> [!VIDEO https://www.youtube-nocookie.com/embed/BwB10v55WSk] + +Windows 10 is the most secure version of Windows yet. Learn what updates we release and when we release them, so you understand the efforts we take to keep your digital life safe and secure. + +The latest news: + + +[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). + +## IT pro champs corner +Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing. + + + + +**NEW** Understanding the differences between servicing Windows 10-era and legacy Windows operating systems + +NEW Express updates for Windows Server 2016 re-enabled for November 2018 update + + +2019 SHA-2 Code Signing Support requirement for Windows and WSUS + +Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices + +## Discover + +Learn more about Windows as a service and its value to your organization. + + + +Overview of Windows as a service + +Quick guide to Windows as a service + +Windows Analytics overview + +What's new in Windows 10 deployment + +How Microsoft IT deploys Windows 10 + +## Plan + +Prepare to implement Windows as a service effectively using the right tools, products, and strategies. + + + +Simplified updates + +Windows 10 end user readiness + +Ready for Windows + +Manage Windows upgrades with Upgrade Readiness + +Preparing your organization for a seamless Windows 10 deployment + +## Deploy + +Secure your organization's deployment investment. + + + +Update Windows 10 in the enterprise + +Deploying as an in-place upgrade + +Configure Windows Update for Business + +Express update delivery + +Windows 10 deployment considerations + + +## Microsoft Ignite 2018 + + +Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. + +[BRK2417: What’s new in Windows Analytics: An Intro to Desktop Analytics](https://myignite.techcommunity.microsoft.com/sessions/64324#ignite-html-anchor) + +[BRK3018: Deploying Windows 10 in the enterprise using traditional and modern techniques](https://myignite.techcommunity.microsoft.com/sessions/64509#ignite-html-anchor) + +[BRK3019: Delivery Optimization deep dive: How to reduce internet bandwidth impact on your network](https://myignite.techcommunity.microsoft.com/sessions/64510#ignite-html-anchor) + +[BRK3020: Using AI to automate Windows and Office update staging with Windows Update for Business](https://myignite.techcommunity.microsoft.com/sessions/64513#ignite-html-anchor) + +[BRK3027: Deploying Windows 10: Making the update experience smooth and seamless](https://myignite.techcommunity.microsoft.com/sessions/64612#ignite-html-anchor) + +[BRK3039: Windows 10 and Microsoft Office 365 ProPlus lifecycle and servicing update](https://myignite.techcommunity.microsoft.com/sessions/66763#ignite-html-anchor) + +[BRK3211: Ask the Experts: Successfully deploying, servicing, managing Windows 10](https://myignite.techcommunity.microsoft.com/sessions/65963#ignite-html-anchor) + +[THR2234: Windows servicing and delivery fundamentals](https://myignite.techcommunity.microsoft.com/sessions/66741#ignite-html-anchor) + +[THR3006: The pros and cons of LTSC in the enterprise](https://myignite.techcommunity.microsoft.com/sessions/64512#ignite-html-anchor) diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md new file mode 100644 index 0000000000..d507deedb3 --- /dev/null +++ b/windows/deployment/update/windows-update-error-reference.md @@ -0,0 +1,362 @@ +--- +title: Windows Update error code list by component +description: Reference information for Windows Update error codes +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update error codes by component + +>Applies to: Windows 10 + + +This section lists the error codes for Microsoft Windows Update. + +## Automatic Update Errors + +|Error code|Message|Description| +|-|-|-| +|0x80243FFF|WU_E_AUCLIENT_UNEXPECTED|There was a user interface error not covered by another WU_E_AUCLIENT_* error code.| +|0x8024A000|WU_E_AU_NOSERVICE|Automatic Updates was unable to service incoming requests. | +|0x8024A002|WU_E_AU_NONLEGACYSERVER|The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded.|  +|0x8024A003 |WU_E_AU_LEGACYCLIENTDISABLED| The old version of the Automatic Updates client was disabled.|  +|0x8024A004|WU_E_AU_PAUSED|Automatic Updates was unable to process incoming requests because it was paused.|  +|0x8024A005|WU_E_AU_NO_REGISTERED_SERVICE| No unmanaged service is registered with AU.|  +|0x8024AFFF|WU_E_AU_UNEXPECTED| An Automatic Updates error not covered by another WU_E_AU * code.|  + +## Windows Update UI errors + +|Error code|Message|Description| +|-|-|-| +|0x80243001|WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION|The results of download and installation could not be read from the registry due to an unrecognized data format version.|  +|0x80243002|WU_E_INSTALLATION_RESULTS_INVALID_DATA|The results of download and installation could not be read from the registry due to an invalid data format.|  +|0x80243003|WU_E_INSTALLATION_RESULTS_NOT_FOUND |The results of download and installation are not available; the operation may have failed to start.|  +|0x80243004| WU_E_TRAYICON_FAILURE| A failure occurred when trying to create an icon in the taskbar notification area.| +|0x80243FFD| WU_E_NON_UI_MODE| Unable to show UI when in non-UI mode; WU client UI modules may not be installed.  | +|0x80243FFE| WU_E_WUCLTUI_UNSUPPORTED_VERSION| Unsupported version of WU client UI exported functions.  | +|0x80243FFF| WU_E_AUCLIENT_UNEXPECTED| There was a user interface error not covered by another WU_E_AUCLIENT_* error code.  | + +## Inventory errors + +|Error code|Message|Description| +|-|-|-| +|0x80249001| WU_E_INVENTORY_PARSEFAILED| Parsing of the rule file failed. | +|0x80249002| WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED | Failed to get the requested inventory type from the server. | +|0x80249003| WU_E_INVENTORY_RESULT_UPLOAD_FAILED| Failed to upload inventory result to the server. | +|0x80249004| WU_E_INVENTORY_UNEXPECTED| There was an inventory error not covered by another error code.|  +|0x80249005| WU_E_INVENTORY_WMI_ERROR| A WMI error occurred when enumerating the instances for a particular class.  | + +## Expression evaluator errors + +|Error code|Message|Description| +|-|-|-| +|0x8024E001 | WU_E_EE_UNKNOWN_EXPRESSION | An expression evaluator operation could not be completed because an expression was unrecognized.| +|0x8024E002| WU_E_EE_INVALID_EXPRESSION| An expression evaluator operation could not be completed because an expression was invalid.  | +|0x8024E003| WU_E_EE_MISSING_METADATA| An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. | +|0x8024E004| WU_E_EE_INVALID_VERSION| An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. | +| 0x8024E005| WU_E_EE_NOT_INITIALIZED| The expression evaluator could not be initialized.|  +| 0x8024E006| WU_E_EE_INVALID_ATTRIBUTEDATA | An expression evaluator operation could not be completed because there was an invalid attribute.| +| 0x8024E007| WU_E_EE_CLUSTER_ERROR | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. | +| 0x8024EFFF| WU_E_EE_UNEXPECTED| There was an expression evaluator error not covered by another WU_E_EE_* error code.  | + +## Reporter errors + +|Error code|Message|Description| +|-|-|-| +| 0x80247001| WU_E_OL_INVALID_SCANFILE | An operation could not be completed because the scan package was invalid.|  +|0x80247002| WU_E_OL_NEWCLIENT_REQUIRED| An operation could not be completed because the scan package requires a greater version of the Windows Update Agent.|  +| 0x80247FFF| WU_E_OL_UNEXPECTED| Search using the scan package failed. | +| 0x8024F001| WU_E_REPORTER_EVENTCACHECORRUPT| The event cache file was defective. | +| 0x8024F002 | WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED | The XML in the event namespace descriptor could not be parsed.|  +| 0x8024F003| WU_E_INVALID_EVENT| The XML in the event namespace descriptor could not be parsed.|  +| 0x8024F004| WU_E_SERVER_BUSY| The server rejected an event because the server was too busy.|  +| 0x8024FFFF| WU_E_REPORTER_UNEXPECTED| There was a reporter error not covered by another error code. | + +## Redirector errors +The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors. + +|Error code|Message|Description | +|-|-|-| +| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class.  | +| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. | +| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab.  | +| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code.  | + +## Protocol Talker errors +The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method. + +|Error code|Message|Description| +|-|-|-| +| 0x80244000| WU_E_PT_SOAPCLIENT_BASE| WU_E_PT_SOAPCLIENT_* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library.| +|0x80244001| WU_E_PT_SOAPCLIENT_INITIALIZE| Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. | +| 0x80244002| WU_E_PT_SOAPCLIENT_OUTOFMEMORY| Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory. | +| 0x80244003| WU_E_PT_SOAPCLIENT_GENERATE| Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request.|  +| 0x80244004| WU_E_PT_SOAPCLIENT_CONNECT| Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server. | +| 0x80244005| WU_E_PT_SOAPCLIENT_SEND| Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_* error codes.| +| 0x80244006| WU_E_PT_SOAPCLIENT_SERVER| Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error. | +| 0x80244007| WU_E_PT_SOAPCLIENT_SOAPFAULT| Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.| +| 0x80244008| WU_E_PT_SOAPCLIENT_PARSEFAULT| Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault.|  +| 0x80244009| WU_E_PT_SOAPCLIENT_READ| Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server.| +| 0x8024400A| WU_E_PT_SOAPCLIENT_PARSE| Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server. | + + + +## Other Protocol Talker errors +The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT. + +|Error code|Message|Description| +|-|-|-| +| 0x8024400B| WU_E_PT_SOAP_VERSION| Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope.| +| 0x8024400C| WU_E_PT_SOAP_MUST_UNDERSTAND| Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header.  | +| 0x8024400D| WU_E_PT_SOAP_CLIENT| Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending. | +| 0x8024400E| WU_E_PT_SOAP_SERVER| Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later. | +| 0x8024400F| WU_E_PT_WMI_ERROR| There was an unspecified Windows Management Instrumentation (WMI) error.|  +| 0x80244010| WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS| The number of round trips to the server exceeded the maximum limit. | +| 0x80244011| WU_E_PT_SUS_SERVER_NOT_SET| WUServer policy value is missing in the registry. | +| 0x80244012| WU_E_PT_DOUBLE_INITIALIZATION| Initialization failed because the object was already initialized. | +| 0x80244013| WU_E_PT_INVALID_COMPUTER_NAME| The computer name could not be determined. | +| 0x80244015| WU_E_PT_REFRESH_CACHE_REQUIRED| The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.|  +| 0x80244016| WU_E_PT_HTTP_STATUS_BAD_REQUEST| Same as HTTP status 400 - the server could not process the request due to invalid syntax. | +| 0x80244017| WU_E_PT_HTTP_STATUS_DENIED| Same as HTTP status 401 - the requested resource requires user authentication. | +| 0x80244018| WU_E_PT_HTTP_STATUS_FORBIDDEN| Same as HTTP status 403 - server understood the request but declined to fulfill it.| +| 0x80244019| WU_E_PT_HTTP_STATUS_NOT_FOUND| Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). | +| 0x8024401A| WU_E_PT_HTTP_STATUS_BAD_METHOD| Same as HTTP status 405 - the HTTP method is not allowed.  | +| 0x8024401B| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ| Same as HTTP status 407 - proxy authentication is required. | +| 0x8024401C| WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT| Same as HTTP status 408 - the server timed out waiting for the request. | +| 0x8024401D| WU_E_PT_HTTP_STATUS_CONFLICT| Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. | +| 0x8024401E| WU_E_PT_HTTP_STATUS_GONE| Same as HTTP status 410 - requested resource is no longer available at the server.| +| 0x8024401F| WU_E_PT_HTTP_STATUS_SERVER_ERROR| Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. | +| 0x80244020| WU_E_PT_HTTP_STATUS_NOT_SUPPORTED| Same as HTTP status 500 - server does not support the functionality required to fulfill the request. | +| 0x80244021| WU_E_PT_HTTP_STATUS_BAD_GATEWAY |Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request.| +| 0x80244022| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL| Same as HTTP status 503 - the service is temporarily overloaded.  | +| 0x80244023| WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT| Same as HTTP status 503 - the request was timed out waiting for a gateway. | +| 0x80244024| WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP| Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. | +| 0x80244025| WU_E_PT_FILE_LOCATIONS_CHANGED| Operation failed due to a changed file location; refresh internal state and resend.|  +| 0x80244026| WU_E_PT_REGISTRATION_NOT_SUPPORTED| Operation failed because Windows Update Agent does not support registration with a non-WSUS server. | +| 0x80244027| WU_E_PT_NO_AUTH_PLUGINS_REQUESTED| The server returned an empty authentication information list.  | +| 0x80244028| WU_E_PT_NO_AUTH_COOKIES_CREATED| Windows Update Agent was unable to create any valid authentication cookies. | +| 0x80244029| WU_E_PT_INVALID_CONFIG_PROP| A configuration property value was wrong. | +| 0x8024402A| WU_E_PT_CONFIG_PROP_MISSING| A configuration property value was missing. | +| 0x8024402B| WU_E_PT_HTTP_STATUS_NOT_MAPPED| The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_* error codes. | +| 0x8024402C| WU_E_PT_WINHTTP_NAME_NOT_RESOLVED| Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. | +| 0x8024402F| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS| External cab file processing completed with some errors.| +| 0x80244030| WU_E_PT_ECP_INIT_FAILED| The external cab processor initialization did not complete. | +| 0x80244031| WU_E_PT_ECP_INVALID_FILE_FORMAT| The format of a metadata file was invalid. | +| 0x80244032| WU_E_PT_ECP_INVALID_METADATA| External cab processor found invalid metadata. | +| 0x80244033| WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST| The file digest could not be extracted from an external cab file. | +| 0x80244034| WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE| An external cab file could not be decompressed. | +| 0x80244035| WU_E_PT_ECP_FILE_LOCATION_ERROR| External cab processor was unable to get file locations. | +| 0x80244FFF| WU_E_PT_UNEXPECTED| A communication error not covered by another WU_E_PT_* error code. | +| 0x8024502D| WU_E_PT_SAME_REDIR_ID| Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. | +| 0x8024502E| WU_E_PT_NO_MANAGED_RECOVER| A redirector recovery action did not complete because the server is managed. | + +## Download Manager errors + +|Error code|Message|Description| +|-|-|-| +| 0x80246001| WU_E_DM_URLNOTAVAILABLE| A download manager operation could not be completed because the requested file does not have a URL. | +| 0x80246002| WU_E_DM_INCORRECTFILEHASH| A download manager operation could not be completed because the file digest was not recognized. | +| 0x80246003| WU_E_DM_UNKNOWNALGORITHM| A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. | +| 0x80246004| WU_E_DM_NEEDDOWNLOADREQUEST| An operation could not be completed because a download request is required from the download handler. | +| 0x80246005| WU_E_DM_NONETWORK| A download manager operation could not be completed because the network connection was unavailable. | +| 0x80246006| WU_E_DM_WRONGBITSVERSION| A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible.|  +| 0x80246007| WU_E_DM_NOTDOWNLOADED| The update has not been downloaded. | +| 0x80246008| WU_E_DM_FAILTOCONNECTTOBITS| A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS).|  +| 0x80246009|WU_E_DM_BITSTRANSFERERROR| A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error.  | +| 0x8024600A| WU_E_DM_DOWNLOADLOCATIONCHANGED| A download must be restarted because the location of the source of the download has changed.|  +| 0x8024600B| WU_E_DM_CONTENTCHANGED| A download must be restarted because the update content changed in a new revision.  | +| 0x80246FFF| WU_E_DM_UNEXPECTED| There was a download manager error not covered by another WU_E_DM_* error code.  | + +## Update Handler errors + +|Error code|Message|Description| +|-|-|-| +| 0x80242000| WU_E_UH_REMOTEUNAVAILABLE|9 A request for a remote update handler could not be completed because no remote process is available. | +| 0x80242001| WU_E_UH_LOCALONLY| A request for a remote update handler could not be completed because the handler is local only. | +| 0x80242002| WU_E_UH_UNKNOWNHANDLER| A request for an update handler could not be completed because the handler could not be recognized. | +| 0x80242003| WU_E_UH_REMOTEALREADYACTIVE| A remote update handler could not be created because one already exists.  | +| 0x80242004| WU_E_UH_DOESNOTSUPPORTACTION| A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall).|  +| 0x80242005| WU_E_UH_WRONGHANDLER| An operation did not complete because the wrong handler was specified.  | +| 0x80242006| WU_E_UH_INVALIDMETADATA| A handler operation could not be completed because the update contains invalid metadata. | +| 0x80242007| WU_E_UH_INSTALLERHUNG| An operation could not be completed because the installer exceeded the time limit. | +| 0x80242008| WU_E_UH_OPERATIONCANCELLED| An operation being done by the update handler was cancelled. | +| 0x80242009| WU_E_UH_BADHANDLERXML| An operation could not be completed because the handler-specific metadata is invalid.  | +| 0x8024200A| WU_E_UH_CANREQUIREINPUT| A request to the handler to install an update could not be completed because the update requires user input. | +| 0x8024200B| WU_E_UH_INSTALLERFAILURE| The installer failed to install (uninstall) one or more updates.  | +| 0x8024200C| WU_E_UH_FALLBACKTOSELFCONTAINED| The update handler should download self-contained content rather than delta-compressed content for the update. | +| 0x8024200D| WU_E_UH_NEEDANOTHERDOWNLOAD| The update handler did not install the update because it needs to be downloaded again.  | +| 0x8024200E| WU_E_UH_NOTIFYFAILURE| The update handler failed to send notification of the status of the install (uninstall) operation.  | +| 0x8024200F| WU_E_UH_INCONSISTENT_FILE_NAMES | The file names contained in the update metadata and in the update package are inconsistent.  | +| 0x80242010| WU_E_UH_FALLBACKERROR| The update handler failed to fall back to the self-contained content.  | +| 0x80242011| WU_E_UH_TOOMANYDOWNLOADREQUESTS| The update handler has exceeded the maximum number of download requests.  | +| 0x80242012| WU_E_UH_UNEXPECTEDCBSRESPONSE| The update handler has received an unexpected response from CBS.  | +| 0x80242013| WU_E_UH_BADCBSPACKAGEID| The update metadata contains an invalid CBS package identifier.  | +| 0x80242014| WU_E_UH_POSTREBOOTSTILLPENDING| The post-reboot operation for the update is still in progress.  | +| 0x80242015| WU_E_UH_POSTREBOOTRESULTUNKNOWN| The result of the post-reboot operation for the update could not be determined.  | +| 0x80242016| WU_E_UH_POSTREBOOTUNEXPECTEDSTATE| The state of the update after its post-reboot operation has completed is unexpected.  | +| 0x80242017| WU_E_UH_NEW_SERVICING_STACK_REQUIRED| The OS servicing stack must be updated before this update is downloaded or installed.  | +| 0x80242FFF| WU_E_UH_UNEXPECTED| An update handler error not covered by another WU_E_UH_* code.  | + +## Data Store errors + +|Error code|Message|Description | +|-|-|-| +| 0x80248000| WU_E_DS_SHUTDOWN| An operation failed because Windows Update Agent is shutting down.  | +| 0x80248001| WU_E_DS_INUSE| An operation failed because the data store was in use.|  +| 0x80248002| WU_E_DS_INVALID| The current and expected states of the data store do not match.|  +| 0x80248003| WU_E_DS_TABLEMISSING| The data store is missing a table.  | +| 0x80248004| WU_E_DS_TABLEINCORRECT| The data store contains a table with unexpected columns.  | +| 0x80248005| WU_E_DS_INVALIDTABLENAME| A table could not be opened because the table is not in the data store. | +| 0x80248006| WU_E_DS_BADVERSION| The current and expected versions of the data store do not match. | +| 0x80248007| WU_E_DS_NODATA| The information requested is not in the data store.  | +| 0x80248008| WU_E_DS_MISSINGDATA| The data store is missing required information or has a NULL in a table column that requires a non-null value.  | +| 0x80248009| WU_E_DS_MISSINGREF| The data store is missing required information or has a reference to missing license terms file localized property or linked row. | +| 0x8024800A| WU_E_DS_UNKNOWNHANDLER| The update was not processed because its update handler could not be recognized.  | +| 0x8024800B| WU_E_DS_CANTDELETE| The update was not deleted because it is still referenced by one or more services.  | +| 0x8024800C| WU_E_DS_LOCKTIMEOUTEXPIRED| The data store section could not be locked within the allotted time.  | +| 0x8024800D| WU_E_DS_NOCATEGORIES | The category was not added because it contains no parent categories and is not a top-level category itself.  | +| 0x8024800E| WU_E_DS_ROWEXISTS| The row was not added because an existing row has the same primary key.  | +| 0x8024800F| WU_E_DS_STOREFILELOCKED| The data store could not be initialized because it was locked by another process.  | +| 0x80248010| WU_E_DS_CANNOTREGISTER| The data store is not allowed to be registered with COM in the current process.  +| 0x80248011| WU_E_DS_UNABLETOSTART| Could not create a data store object in another process.  +| 0x80248013| WU_E_DS_DUPLICATEUPDATEID |The server sent the same update to the client with two different revision IDs.  +| 0x80248014 |WU_E_DS_UNKNOWNSERVICE| An operation did not complete because the service is not in the data store.  +| 0x80248015 |WU_E_DS_SERVICEEXPIRED |An operation did not complete because the registration of the service has expired.  +| 0x80248016 | WU_E_DS_DECLINENOTALLOWED | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.  +| 0x80248017 | WU_E_DS_TABLESESSIONMISMATCH| A table was not closed because it is not associated with the session.  +| 0x80248018 | WU_E_DS_SESSIONLOCKMISMATCH| A table was not closed because it is not associated with the session.  +| 0x80248019 | WU_E_DS_NEEDWINDOWSSERVICE| A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.  +| 0x8024801A | WU_E_DS_INVALIDOPERATION| A request was declined because the operation is not allowed.  +| 0x8024801B | WU_E_DS_SCHEMAMISMATCH| The schema of the current data store and the schema of a table in a backup XML document do not match.  +| 0x8024801C | WU_E_DS_RESETREQUIRED| The data store requires a session reset; release the session and retry with a new session.  +| 0x8024801D | WU_E_DS_IMPERSONATED| A data store operation did not complete because it was requested with an impersonated identity.  +| 0x80248FFF | WU_E_DS_UNEXPECTED| A data store error not covered by another WU_E_DS_* code.  + +## Driver Util errors +The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped. + +|Error code|Message|Description +|-|-|-| +| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.  +| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.  +| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.  +| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.  +| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.  +| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.  +| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.  +| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.  + +## Windows Update error codes + +|Error code|Message|Description +|-|-|-| +| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.  +| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.  +| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.  +| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.  +| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.  +| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).  +| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.  +| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.  +| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.  +| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.  +| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.  +| 0x8024000C | WU_E_NOOP| No operation was required.  +| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.  +| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.  +| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.  +| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.  +| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.  +| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.  +| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.  +| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.  +| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.  +| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.  +| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.  +| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.  +| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.  +| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.  +| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.  +| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.  +| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.  +| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.  +| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.  +| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.  +| 0x80240024 | WU_E_NO_UPDATE| There are no updates.  +| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.  +| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.  +| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.  +| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.  +| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.  +| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.  +| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.  +| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.  +| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.  +| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.  +| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.  +| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.  +| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.  +| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.  +| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.  +| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.  +| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.  +| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.  +| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.  +| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.  +| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.  +| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.  +| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.  +| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.  +| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.  +| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.  + +## Windows Update success codes + +|Error code|Message|Description +|-|-|-| +| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.  +| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.  +| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.  +| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.  +| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.  +| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.  +| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.  +| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.  + +## Windows Installer minor errors +The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer. + +|Error code|Message|Description +|-|-|-| +| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.  +| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.  +| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.  +| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.  +| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.  + +## Windows Update Agent update and setup errors + +|Error code|Message|Description +|-|-|-| +| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.  +| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.  +| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.  +| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.  +| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.  +| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.  +| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.  +| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.  +| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.  +| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.  +| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.  +| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.  +| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.  +| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.  +| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.  +| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.  +| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.  \ No newline at end of file diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md new file mode 100644 index 0000000000..25fd1a5279 --- /dev/null +++ b/windows/deployment/update/windows-update-errors.md @@ -0,0 +1,35 @@ +--- +title: Windows Update common errors and mitigation +description: Learn about some common issues you might experience with Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update common errors and mitigation + +>Applies to: Windows 10 + +The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them. + +|Error Code|Message|Description|Mitigation| +|-|-|-|-| +|0x8024402F|WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS|External cab file processing completed with some errors|One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
      The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed | +|0x80242006|WU_E_UH_INVALIDMETADATA|A handler operation could not be completed because the update contains invalid metadata.|Rename Software Redistribution Folder and attempt to download the updates again:
      Rename the following folders to *.BAK:
      - %systemroot%\system32\catroot2

      To do this, type the following commands at a command prompt. Press ENTER after you type each command.
      - Ren %systemroot%\SoftwareDistribution\DataStore *.bak
      - Ren %systemroot%\SoftwareDistribution\Download *.bak
      Ren %systemroot%\system32\catroot2 *.bak | +|0x80070BC9|ERROR_FAIL_REBOOT_REQUIRED|The requested operation failed. A system reboot is required to roll back changes made.|Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS.| +|0x80200053|BG_E_VALIDATION_FAILED|NA|Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

      If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | +|0x80072EE2|WININET_E_TIMEOUT|The operation timed out|This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
      http://*.update.microsoft.com
      https://*.update.microsoft.com
      http://download.windowsupdate.com

      Additionally , you can take a network trace and see what is timing out. | +|0x80072EFD
      0x80072EFE 
      0x80D02002|TIME OUT ERRORS|The operation timed out|Make sure there are no firewall rules or proxy to block Microsoft download URLs.
      Take a network monitor trace to understand better. | +|0X8007000D|ERROR_INVALID_DATA|Indicates invalid data downloaded or corruption occurred.|Attempt to re-download the update and initiate installation. | +|0x8024A10A|USO_E_SERVICE_SHUTTING_DOWN|Indicates that the WU Service is shutting down.|This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | +|0x80240020|WU_E_NO_INTERACTIVE_USER|Operation did not complete because there is no logged-on interactive user.|Please login to the system to initiate the installation and allow the system to be rebooted. | +|0x80242014|WU_E_UH_POSTREBOOTSTILLPENDING|The post-reboot operation for the update is still in progress.|Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. | +|0x80246017|WU_E_DM_UNAUTHORIZED_LOCAL_USER|The download failed because the local user was denied authorization to download the content.|Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).| +|0x8024000B|WU_E_CALL_CANCELLED|Operation was cancelled.|This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete.| +|0x8024000E|WU_E_XML_INVALID|Windows Update Agent found invalid information in the update's XML data.|Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. | +|0x8024D009|WU_E_SETUP_SKIP_UPDATE|An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.|You may encounter this error when WSUS is not sending the Self-update to the clients.

      Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue.| +|0x80244007|WU_E_PT_SOAPCLIENT_SOAPFAULT|SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|This issue occurs because Windows cannot renew the cookies for Windows Update.

      Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue.| \ No newline at end of file diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md new file mode 100644 index 0000000000..b202854a46 --- /dev/null +++ b/windows/deployment/update/windows-update-logs.md @@ -0,0 +1,142 @@ +--- +title: Windows Update log files +description: Learn about the Windows Update log files +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update log files + +>Applies to: Windows 10 + +The following table describes the log files created by Windows Update. + + +|Log file|Location|Description|When to Use | +|-|-|-|-| +|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.| +|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered.
      When Updates are downloaded but installation is not triggered.
      When Updates are installed but reboot is not triggered. | +|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. | +|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.| + +## Generating WindowsUpdate.log +To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps). + +>[!NOTE] +>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again. + +### Windows Update log components +The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file: + +- AGENT- Windows Update agent +- AU - Automatic Updates is performing this task +- AUCLNT- Interaction between AU and the logged-on user +- CDM- Device Manager +- CMPRESS- Compression agent +- COMAPI- Windows Update API +- DRIVER- Device driver information +- DTASTOR- Handles database transactions +- EEHNDLER- Expression handler that's used to evaluate update applicability +- HANDLER- Manages the update installers +- MISC- General service information +- OFFLSNC- Detects available updates without network connection +- PARSER- Parses expression information +- PT- Synchronizes updates information to the local datastore +- REPORT- Collects reporting information +- SERVICE- Startup/shutdown of the Automatic Updates service +- SETUP- Installs new versions of the Windows Update client when it is available +- SHUTDWN- Install at shutdown feature +- WUREDIR- The Windows Update redirector files +- WUWEB- The Windows Update ActiveX control +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, and so on) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping a service + +>[!NOTE] +>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important. + +### Windows Update log structure +The Windows update log structure is separated into four main identities: + +- Time Stamps +- Process ID and Thread ID +- Component Name +- Update Identifiers + - Update ID and Revision Number + - Revision ID + - Local ID + - Inconsistent terminology + +The WindowsUpdate.log structure is discussed in the following sections. + +#### Time stamps +The time stamp indicates the time at which the logging occurs. +- Messages are usually in chronological order, but there may be exceptions. +- A pause during a sync can indicate a network problem, even if the scan succeeds. +- A long pause near the end of a scan can indicate a supersedence chain issue. + ![Windows Update time stamps](images/update-time-log.png) + + +#### Process ID and thread ID +The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log. +- The first four hex digits are the process ID. +- The next four hex digits are the thread ID. +- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID. + ![Windows Update process and thread IDs](images/update-process-id.png) + + +#### Component name +Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows: + +- ProtocolTalker - Client-server sync +- DownloadManager - Creates and monitors payload downloads +- Handler, Setup - Installer handlers (CBS, etc.) +- EEHandler - Evaluating update applicability rules +- DataStore - Caching update data locally +- IdleTimer - Tracking active calls, stopping service + +![Windows Update component name](images/update-component-name.png) + + +#### Update identifiers + +##### Update ID and revision number +There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes. +- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time +- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service +- Revision numbers are reused from one update to another (not a unique identifier). +- The update ID and revision number are often shown together as "{GUID}.revision." + ![Windows Update update identifiers](images/update-update-id.png) + + +##### Revision ID +- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service. +- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID. +- Revision IDs are unique on a given update source, but not across multiple sources. +- The same update revision may have completely different revision IDs on WU and WSUS. +- The same revision ID may represent different updates on WU and WSUS. + +##### Local ID +- Local ID is a serial number issued when an update is received from a service by a given WU client +- Usually seen in debug logs, especially involving the local cache for update info (Datastore) +- Different client PCs will assign different Local IDs to the same update +- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file + +##### Inconsistent terminology +- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs. +- Recognize IDs by form and context: + + - GUIDs are update IDs + - Small integers that appear alongside an update ID are revision numbers + - Large integers are typically revision IDs + - Small integers (especially in Datastore) can be local IDs + ![Windows Update inconsisten terminology](images/update-inconsistent.png) + diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md new file mode 100644 index 0000000000..a89c60d9ec --- /dev/null +++ b/windows/deployment/update/windows-update-overview.md @@ -0,0 +1,54 @@ +--- +title: Get started with Windows Update +description: Learn how Windows Update works, including architecture and troubleshooting +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Get started with Windows Update + +>Applies to: Windows 10 + +With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. + +Ues the following information to get started with Windows Update: + +- Understand the UUP architecture +- Understand [how Windows Update works](how-windows-update-works.md) +- Find [Windows Update log files](windows-update-logs.md) +- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md) +- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md) +- Review [other resources](windows-update-resources.md) to help you use Windows Update + +## Unified Update Platform (UUP) architecture +To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. + +![Windows Update terminology](images/update-terminology.png) + +- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. +- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update. + + Update types- + - OS Feature updates + - OS Security updates + - Device drivers + - Defender definition updates + + >[!NOTE] + > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update. + > + >Store apps aren't installed by USO, today they are separate. + +- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller. +- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date. +- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS. + +Additional components include the following- + +- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules. +- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages. \ No newline at end of file diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md new file mode 100644 index 0000000000..eeac6b3852 --- /dev/null +++ b/windows/deployment/update/windows-update-resources.md @@ -0,0 +1,123 @@ +--- +title: Windows Update - Additional resources +description: Additional resources for Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update - additional resources + +>Applies to: Windows 10 + +The following resources provide additional information about using Windows Update. + +## WSUS Troubleshooting + +[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/) + +[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/) + +[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/) + +[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) + + +## How do I reset Windows Update components? + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. + + +[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update. + + +## Reset Windows Update components manually +1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: + ``` + cmd + ``` +2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net stop bits + net stop wuauserv + ``` +3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: + ``` + Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" + ``` +4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. + 1. Rename the following folders to *.BAK: + - %systemroot%\SoftwareDistribution\DataStore + - %systemroot%\SoftwareDistribution\Download + - %systemroot%\system32\catroot2 + + To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - Ren %systemroot%\SoftwareDistribution\DataStore *.bak + - Ren %systemroot%\SoftwareDistribution\Download *.bak + - Ren %systemroot%\system32\catroot2 *.bak + 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) + - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) +5. Type the following command at a command prompt, and then press ENTER: + ``` + cd /d %windir%\system32 + ``` +6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + - regsvr32.exe atl.dll + - regsvr32.exe urlmon.dll + - regsvr32.exe mshtml.dll + - regsvr32.exe shdocvw.dll + - regsvr32.exe browseui.dll + - regsvr32.exe jscript.dll + - regsvr32.exe vbscript.dll + - regsvr32.exe scrrun.dll + - regsvr32.exe msxml.dll + - regsvr32.exe msxml3.dll + - regsvr32.exe msxml6.dll + - regsvr32.exe actxprxy.dll + - regsvr32.exe softpub.dll + - regsvr32.exe wintrust.dll + - regsvr32.exe dssenh.dll + - regsvr32.exe rsaenh.dll + - regsvr32.exe gpkcsp.dll + - regsvr32.exe sccbase.dll + - regsvr32.exe slbcsp.dll + - regsvr32.exe cryptdlg.dll + - regsvr32.exe oleaut32.dll + - regsvr32.exe ole32.dll + - regsvr32.exe shell32.dll + - regsvr32.exe initpki.dll + - regsvr32.exe wuapi.dll + - regsvr32.exe wuaueng.dll + - regsvr32.exe wuaueng1.dll + - regsvr32.exe wucltui.dll + - regsvr32.exe wups.dll + - regsvr32.exe wups2.dll + - regsvr32.exe wuweb.dll + - regsvr32.exe qmgr.dll + - regsvr32.exe qmgrprxy.dll + - regsvr32.exe wucltux.dll + - regsvr32.exe muweb.dll + - regsvr32.exe wuwebv.dll +7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: + ``` + netsh reset winsock + ``` +8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: + ``` + proxycfg.exe -d + ``` +9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. + ``` + net start bits + + net start wuauserv + ``` +10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: + ``` + bitsadmin.exe /reset /allusers + ``` \ No newline at end of file diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md deleted file mode 100644 index b5f709e351..0000000000 --- a/windows/deployment/update/windows-update-sources.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: Determine the source of Windows updates -description: Determine the source that Windows Update service is currently using. -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -author: kaushika-msft -ms.localizationpriority: medium -ms.author: jaimeo -ms.date: 04/05/2018 ---- - -# Determine the source of Windows updates - -Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:  - -1. Start Windows PowerShell as an administrator -2. Run `$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`. -3. Run `$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table: - -| Output | Interpretation | -|-----------------------------------------------------|-----------------------------------| -| - Name: **Microsoft Update**
      -OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
      - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)| -|- Name: **DCat Flighting Prod**
      - OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program.
      - Indicates that the client will not receive or is not configured to receive these updates. | -| - Name: **Windows Store (DCat Prod)**
      - OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps.
      - Indicates that the client will not receive or is not configured to receive these updates.| -|- Name: **Windows Server Update Service**
      - OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server.
      - The client is configured to receive updates from WSUS.| -|- Name: **Windows Update**
      - OffersWindowsUpdates: **True** |- The source is Windows Update.
      - The client is configured to receive updates from Windows Update Online.| - - - -See also: - -[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760) - -[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer) - -[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md new file mode 100644 index 0000000000..0f5c91d457 --- /dev/null +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -0,0 +1,175 @@ +--- +title: Windows Update troubleshooting +description: Learn how to troubleshoot Windows Update +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +author: kaushika-msft +ms.localizationpriority: medium +ms.author: elizapo +ms.date: 09/18/2018 +--- + +# Windows Update troubleshooting + +>Applies to: Windows 10 + +If you run into problems when using Windows Update, start with the following steps: + +1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. +2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. +3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: +  + - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) + - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) + - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) + - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) + - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history) + - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history) + - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history) + +Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation. + +You might encounter the following scenarios when using Windows Update. + +## Why am I offered an older update/upgrade? +The update that is offered to a device depends on several factors. Some of the most common attributes include the following. + +- OS Build +- OS Branch +- OS Locale +- OS Architecture +- Device update management configuration + +If the update you're offered isn't th emost current available, it might be because your device is being managed by a WSUS server, and your'e being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day. + +## My machine is frozen at scan. Why? +The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following: +1. Close the Settings app and reopen it. +2. Launch Services.msc and check if the following services are running: + - Update State Orchestrator + - Windows Update + +## Issues related to HTTP/Proxy +Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail. + +To fix this issue, configure a proxy in WinHTTP by using the following netsh command: + +``` +netsh winhttp set proxy ProxyServerName:PortNumber +``` + +>[!NOTE] +> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie + +If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run. + +You may choose to apply a rule to permit HTTP RANGE requests for the following URLs: +*.download.windowsupdate.com +*.au.windowsupdate.com +*.tlu.dl.delivery.mp.microsoft.com + +If you cannot permit RANGE requests, you can configure a Group Policy or MDM Policy setting that will bypass Delivery Optimization and use BITS instead. + + +## The update is not applicable to your computer +The most common reasons for this error are described in the following table: + +|Cause|Explanation|Resolution| +|-----|-----------|----------| +|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. | +|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.| +|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers.
      Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. | +|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424).
      Note: To determine if these prerequisite updates are installed, run the following PowerShell command:
      get-hotfix KB3173424,KB2919355,KB2919442
      If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output. + +## Issues related to firewall configuration +Error that may be seen in the WU logs: +``` +DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls. +``` +Or +``` +[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9 +``` +Or +``` +DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A +``` + +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)) or [Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4039473/windows-update-stuck-at-0-percent-on-windows-10-and-windows-server-201). + +## Issues arising from configuration of conflicting policies +Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. + +See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information. + + +## Updates aren't downloading from the intranet endpoint (WSUS/SCCM) +Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps: +1. Start Windows PowerShell as an administrator +2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager". +3. Run \$MUSM.Services. + +Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table. + +|Output|Interpretation| +|-|-| +|- Name: Microsoft Update
      -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
      - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) | +|- Name: DCat Flighting Prod
      - OffersWindowsUpdates: False|- The update source is the Windows Insider Program.
      - Indicates that the client will not receive or is not configured to receive these updates. | +|- Name: Windows Store (DCat Prod)
      - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
      - Indicates that the client will not receive or is not configured to receive these updates.| +|- Name: Windows Server Update Service
      - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
      - The client is configured to receive updates from WSUS. | +|- Name: Windows Update
      - OffersWindowsUpdates: True|- The source is Windows Update.
      - The client is configured to receive updates from Windows Update Online.| + +## You have a bad setup in the environment +If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: + +``` +HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] +"UseWUServer"=dword:00000001 ===================================> it says use WSUS server. +``` + +From the WU logs: +``` +2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +2018-08-06 09:33:31:085 480 1118 Agent ********* +2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates +2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No +2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*" +2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service +2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine} +2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities +2018-08-06 09:33:32:554 480 1118 Agent ********* +2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49] +``` + +In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results. + +Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here. + +``` +2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +2018-08-06 10:58:45:992 480 5d8 Agent ********* +2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No +2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1" + +2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2 +2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities +2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates +2018-08-06 10:58:47:383 480 5d8 Agent ********* +2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57] +``` + +## High bandwidth usage on Windows 10 by Windows Update +Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components. + +The following group policies can help mitigate this: + +- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled) +- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update") +- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled) + +Other components that reach out to the internet: + +- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) +- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) +- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md index 6f11599931..e68fbd4f41 100644 --- a/windows/deployment/upgrade/log-files.md +++ b/windows/deployment/upgrade/log-files.md @@ -127,7 +127,7 @@ The first line indicates there was an error **0x00000570** with the file **C:\Pr 27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570] -The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. +The error 0x00000570 is a [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) corresponding to: ERROR_FILE_CORRUPT: The file or directory is corrupted and unreadable. Therefore, Windows Setup failed because it was not able to migrate the corrupt file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\[CN]**. This file is a local system certificate and can be safely deleted. Searching the setupact.log file for additional details, the phrase "Shell application requested abort" is found in a location with the same timestamp as the lines in setuperr.log. This confirms our suspicion that this file is the cause of the upgrade failure: @@ -161,8 +161,8 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md index bd9b717522..73daaea76b 100644 --- a/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md +++ b/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md @@ -10,7 +10,7 @@ ms.date: 04/25/2017 Upgrading to new operating systems has traditionally been a challenging, complex, and slow process for many enterprises. Discovering applications and drivers and then testing them for potential compatibility issues have been among the biggest pain points. -With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview) model. +With the release of Upgrade Readiness, enterprises now have the tools to plan and manage the upgrade process end to end, allowing them to adopt new Windows releases more quickly. With new Windows versions being released multiple times a year, ensuring application and driver compatibility on an ongoing basis is key to adopting new Windows versions as they are released. Windows Upgrade Readiness not only supports upgrade management from Windows 7, Windows 8.1 to Windows 10, but also Windows 10 upgrades in the [Windows as a service](https://technet.microsoft.com/itpro/windows/manage/waas-overview) model. Microsoft developed Upgrade Readiness in response to demand from enterprise customers looking for additional direction and details about upgrading to Windows 10. Upgrade Readiness was built taking into account multiple channels of customer feedback, testing, and Microsoft’s experience upgrading millions of devices to Windows 10. diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md index d95d114e32..fd3ae2a1d7 100644 --- a/windows/deployment/upgrade/quick-fixes.md +++ b/windows/deployment/upgrade/quick-fixes.md @@ -20,7 +20,7 @@ ms.localizationpriority: medium >This is a 100 level topic (basic).
      >See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. -The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/en-us/products/windows?os=windows-10). +The following list of fixes can resolve many Windows upgrade problems. You should try these steps before contacting Microsoft support, or attempting a more advanced analysis of a Windows upgrade failure. Also review information at [Windows 10 help](https://support.microsoft.com/products/windows?os=windows-10). The Microsoft Virtual Agent provided by [Microsoft Support](https://support.microsoft.com/contactus/) can help you to analyze and correct some Windows upgrade errors. **To talk to a person about your issue**, start the Virtual Agent (click **Get started**) and enter "Talk to a person" two times. @@ -47,7 +47,7 @@ The Microsoft Virtual Agent provided by [Microsoft Support](https://support.micr ### Remove external hardware -If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)). +If the computer is portable and it is currently in a docking station, [undock the computer](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754084(v=ws.11)). Unplug nonessential external hardware devices from the computer, such as: - Headphones @@ -66,7 +66,7 @@ Unplug nonessential external hardware devices from the computer, such as: - Smart phones - Secondary monitors, keyboards, mice -For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/en-us/help/4051300/windows-10-safely-remove-hardware) +For more information about disconnecting external devices, see [Safely remove hardware in Windows 10](https://support.microsoft.com/help/4051300/windows-10-safely-remove-hardware) ### Repair the system drive @@ -183,7 +183,7 @@ To remove programs, use the same steps as are provided [above](#uninstall-non-mi Updating firmware (such as the BIOS) and installing hardware drivers is a somewhat advanced task. Do not attempt to update BIOS if you aren't familiar with BIOS settings or are not sure how to restore the previous BIOS version if there are problems. Most BIOS updates are provided as a "flash" update. Your manufacturer might provide a tool to perform the update, or you might be required to enter the BIOS and update it manually. Be sure to save your working BIOS settings, since some updates can reset your configuration and make the computer fail to boot if (for example) a RAID configuration is changed. -Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/en-us/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). +Most BIOS and other hardware updates can be obtained from a website maintained by your computer manufacturer. For example, Microsoft Surface device drivers can be obtained at: [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices). To obtain the proper firmware drivers, search for the most updated driver version provided by your computer manufacturer. Install these updates and reboot the computer after installation. Request assistance from the manufacturer if you have any questions. @@ -211,7 +211,7 @@ To free up additional space on the system drive, begin by running Disk Cleanup. ![Disk cleanup](../images/cleanup.png) -For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space). +For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space). When you run Disk Cleanup and enable the option to Clean up system files, you can remove previous Windows installations which can free a large amount of space. You should only do this if you do not plan to restore the old OS version. @@ -229,8 +229,8 @@ If you downloaded the SetupDiag.exe program to your computer, then copied it to ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) \ No newline at end of file diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index cb0bb9ff2a..825c47fba7 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -29,7 +29,7 @@ A frequently observed result code is 0xC1900101. This result code can be thrown - Event logs: $Windows.~bt\Sources\Rollback\*.evtx - The device install log: $Windows.~bt\Sources\Rollback\setupapi\setupapi.dev.log -The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/en-us/kb/929135) before initiating the upgrade process. +The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018). To resolve a rollback due to driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
      See the following general troubleshooting procedures associated with a result code of 0xC1900101: @@ -111,7 +111,7 @@ The device install log is particularly helpful if rollback occurs during the sys Ensure that all that drivers are updated.
      Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers. -
      For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/en-us/library/ee851579.aspx). +
      For more information, see [Understanding Failures and Log Files](https://technet.microsoft.com/library/ee851579.aspx).
      Update or uninstall the problem drivers. @@ -236,7 +236,7 @@ Disconnect all peripheral devices that are connected to the system, except for t Mitigation Clean boot into Windows, and then attempt the upgrade to Windows 10.
      -For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135). +For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).

      Ensure you select the option to "Download and install updates (recommended)." @@ -342,7 +342,7 @@ An extended error has occurred during the first boot phase. Mitigation -Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/en-us/kb/929135). +Disable or uninstall non-Microsoft antivirus applications, disconnect all unnecessary devices, and perform a [clean boot](https://support.microsoft.com/kb/929135). @@ -547,7 +547,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0x80070020 The existing process cannot access the file because it is being used by another process. -Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/en-us/kb/929135). +Use the MSCONFIG tool to perform a clean boot on the machine and then try to perform the update again. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135). 0x80070522 @@ -558,7 +558,7 @@ Download and run the media creation tool. See [Download windows 10](https://www. 0xC1900107 A cleanup operation from a previous installation attempt is still pending and a system reboot is required in order to continue the upgrade. -Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/en-us/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10). +Reboot the device and run setup again. If restarting device does not resolve the issue, then use the Disk Cleanup utility and cleanup the temporary as well as the System files. For more information, see [Disk cleanup in Windows 10](https://support.microsoft.com/instantanswers/8fef4121-711b-4be1-996f-99e02c7301c2/disk-cleanup-in-windows-10). 0xC1900209 @@ -668,7 +668,7 @@ Alternatively, re-create installation media the [Media Creation Tool](https://ww
      0x80070070 - 0x50012
      0x80070070 - 0x60000 These errors indicate the computer does not have enough free space available to install the upgrade. -To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/en-us/help/17421/windows-free-up-drive-space) before proceeding with the upgrade. +To upgrade a computer to Windows 10, it requires 16 GB of free hard drive space for a 32-bit OS, and 20 GB for a 64-bit OS. If there is not enough space, attempt to [free up drive space](https://support.microsoft.com/help/17421/windows-free-up-drive-space) before proceeding with the upgrade.
      Note: If your device allows it, you can use an external USB drive for the upgrade process. Windows setup will back up the previous version of Windows to a USB external drive. The external drive must be at least 8GB (16GB is recommended). The external drive should be formatted using NTFS. Drives that are formatted in FAT32 may run into errors due to FAT32 file size limitations. USB drives are preferred over SD cards because drivers for SD cards are not migrated if the device does not support Connected Standby. @@ -755,8 +755,8 @@ Also see the following sequential list of modern setup (mosetup) error codes wit ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 845d32e0ab..80c7484a85 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -17,7 +17,7 @@ ms.localizationpriority: medium - Windows 10 >[!IMPORTANT] ->This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/en-us/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). +>This article contains technical instructions for IT administrators. If you are not an IT administrator, try some of the [quick fixes](quick-fixes.md) described in this article then contact [Microsoft Support](https://support.microsoft.com/contactus/) starting with the Virtual Agent. To talk to a person about your issue, click **Get started** to interact with the Virtual Agent, then enter "Talk to a person" two times. The Virtual Agent can also help you to resolve many Windows upgrade issues. Also see: [Get help with Windows 10 upgrade and installation errors](https://support.microsoft.com/help/10587/windows-10-get-help-with-upgrade-installation-errors) and [Submit Windows 10 upgrade errors using Feedback Hub](submit-errors.md). This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade. @@ -53,8 +53,8 @@ See the following topics in this article: ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 65b4e8d268..53856948d2 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 08/16/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -24,7 +24,7 @@ ms.localizationpriority: medium ## About SetupDiag -Current version of SetupDiag: 1.3.1.0 +Current version of SetupDiag: 1.4.0.0 SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. @@ -61,11 +61,14 @@ The [Release notes](#release-notes) section at the bottom of this topic has info | --- | --- | | /? |
      • Displays interactive help
      | | /Output:\ |
      • This optional parameter enables you to specify the output file for results. This is where you will find what SetupDiag was able to determine. Only text format output is supported. UNC paths will work, provided the context under which SetupDiag runs has access to the UNC path. If the path has a space in it, you must enclose the entire path in double quotes (see the example section below).
      • Default: If not specified, SetupDiag will create the file **SetupDiagResults.log** in the same directory where SetupDiag.exe is run.
      | -| /Mode:\ |
      • This optional parameter allows you to specify the mode in which SetupDiag will operate: Offline or Online.
      • Offline: tells SetupDiag to run against a set of log files already captured from a failed system. In this mode you can run anywhere you have access to the log files. This mode does not require SetupDiag to be run on the computer that failed to update. When you specify offline mode, you must also specify the /LogsPath: parameter.
      • Online: tells SetupDiag that it is being run on the computer that failed to update. SetupDiag will attempt find log files and resources in standard Windows locations, such as the **%SystemDrive%\$Windows.~bt** directory for setup log files.
      • Log file search paths are configurable in the SetupDiag.exe.config file, under the SearchPath key. Search paths are comma separated. Note: A large number of search paths will extend the time required for SetupDiag to return results.
      • Default: If not specified, SetupDiag will run in Online mode.
      | -| /LogsPath:\ |
      • This optional parameter is required only when **/Mode:Offline** is specified. This tells SetupDiag.exe where to find the log files. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories. This parameter should be omitted when the **/Mode:Online** is specified.
      | +| /LogsPath:\ |
      • This optional parameter tells SetupDiag.exe where to find the log files for an offline analysis. These log files can be in a flat folder format, or containing multiple subdirectories. SetupDiag will recursively search all child directories.
      | | /ZipLogs:\ |
      • This optional parameter tells SetupDiag.exe to create a zip file containing the results and all the log files it parsed. The zip file is created in the same directory where SetupDiag.exe is run.
      • Default: If not specified, a value of 'true' is used.
      | -| /Verbose |
      • This optional parameter will output much more data to the log file produced by SetupDiag.exe. By default SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce a log file with debugging details, which can be useful when reporting a problem with SetupDiag.
      | +| /Verbose |
      • This optional parameter will output much more data to a log file. By default, SetupDiag will only produce a log file entry for serious errors. Using **/Verbose** will cause SetupDiag to always produce an additional log file with debugging details. These details can be useful when reporting a problem with SetupDiag.
      | | /Format:\ |
      • This optional parameter can be used to output log files in xml or JSON format. If this parameter is not specified, text format is used by default.
      | +| /NoTel |
      • This optional parameter tells SetupDiag.exe not to send diagnostic telemetry to Microsoft.
      | + +Note: The **/Mode** parameter is deprecated in version 1.4.0.0 of SetupDiag. +- In previous versions, this command was used with the LogsPath parameter to specify that SetupDiag should run in an offline manner to analyze a set of log files that were captured from a different computer. In version 1.4.0.0 when you specify /LogsPath then SetupDiag will automatically run in offline mode, therefore the /Mode parameter is not needed. ### Examples: @@ -75,10 +78,10 @@ In the following example, SetupDiag is run with default parameters (online mode, SetupDiag.exe ``` -In the following example, SetupDiag is specified to run in Online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. +In the following example, SetupDiag is run in online mode (this is the default). It will know where to look for logs on the current (failing) system, so there is no need to gather logs ahead of time. A custom location for results is specified. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Online +SetupDiag.exe /Output:C:\SetupDiag\Results.log ``` The following example uses the /Output parameter to save results to a path name that contains a space: @@ -90,7 +93,7 @@ SetupDiag /Output:"C:\Tools\SetupDiag\SetupDiag Results\Results.log" The following example specifies that SetupDiag is to run in offline mode, and to process the log files found in **D:\Temp\Logs\LogSet1**. ``` -SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:D:\Temp\Logs\LogSet1 +SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:D:\Temp\Logs\LogSet1 ``` ## Log files @@ -111,7 +114,7 @@ When Microsoft Windows encounters a condition that compromises safe system opera If crash dumps [are enabled](https://docs.microsoft.com/windows-hardware/drivers/debugger/enabling-a-kernel-mode-dump-file) on the system, a crash dump file is created. If the bug check occurs during an upgrade, Windows Setup will extract a minidump (setupmem.dmp) file. SetupDiag can also debug these setup related minidumps. To debug a setup related bug check, you must: -- Specify the **/Mode:Offline** and **/LogsPath** parameters. You cannot debug memory dumps in online mode. +- Specify the **/LogsPath** parameter. You cannot debug memory dumps in online mode. - Gather the setup memory dump file (setupmem.dmp) from the failing system. - Setupmem.dmp will be created in either **%SystemDrive%\$Windows.~bt\Sources\Rollback**, or in **%WinDir%\Panther\NewOS\Rollback** depending on when the bug check occurs. - Install the [Windows Debugging Tools](https://docs.microsoft.com/windows-hardware/drivers/debugger/debugger-download-tools) on the computer that runs SetupDiag. @@ -119,7 +122,7 @@ To debug a setup related bug check, you must: In the following example, the **setupmem.dmp** file is copied to the **D:\Dump** directory and the Windows Debugging Tools are installed prior to running SetupDiag: ``` -SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /Mode:Offline /LogsPath:D:\Dump +SetupDiag.exe /Output:C:\SetupDiag\Dumpdebug.log /LogsPath:D:\Dump ``` ## Known issues @@ -135,10 +138,10 @@ The following is an example where SetupDiag is run in offline mode. In this exam The output also provides an error code 0xC1900208 - 0x4000C which corresponds to a compatibility issue as documented in the [Upgrade error codes](upgrade-error-codes.md#result-codes) and [Resolution procedures](resolution-procedures.md#modern-setup-errors) topics in this article. ``` -C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /Mode:Offline /LogsPath:C:\Temp\BobMacNeill +C:\SetupDiag>SetupDiag.exe /Output:C:\SetupDiag\Results.log /LogsPath:C:\Temp\BobMacNeill -SetupDiag v1.01 -Copyright (c) Microsoft Corporation. All rights reserved +SetupDiag v1.4.0.0 +Copyright (c) Microsoft Corporation. All rights reserved. Searching for setup logs, this can take a minute or more depending on the number and size of the logs...please wait. Found 4 setupact.logs. @@ -182,7 +185,7 @@ This is a dismissible message when not running setup.exe in "/quiet" mode. Consider specifying "/compat /ignore warning" to ignore these dismissible warnings. You must manually uninstall "Microsoft Endpoint Protection" before continuing with the installation/update, or change the command line parameters to ignore warnings. For more information about Setup command line switches, see here: -https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options +https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options SetupDiag: processing rule: CompatBlockedApplicationManualUninstall. ....No match. @@ -253,7 +256,7 @@ SetupDiag: processing rule: FindDownlevelFailure. SetupDiag: processing rule: FindAbruptDownlevelFailure. ....Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize, Error: 0xC1900208 - 0x4000C Failure Data: Last Operation: Finalize, Error: 0xC1900208 - 0x4000C -Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. +Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information. SetupDiag: processing rule: FindSetupPlatformFailedOperationInfo. ..No match. @@ -268,10 +271,10 @@ This is a dismissible message when not running setup.exe in "/quiet" mode. Consider specifying "/compat /ignore warning" to ignore these dismissible warnings. You must manually uninstall "Microsoft Endpoint Protection" before continuing with the installation/update, or change the command line parameters to ignore warnings. For more information about Setup command line switches, see here: -https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options +https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options Error: SetupDiag reports abrupt down-level failure. Last Operation: Finalize, Error: 0xC1900208 - 0x4000C Failure Data: Last Operation: Finalize, Error: 0xC1900208 - 0x4000C -Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. +Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information. SetupDiag results were logged to: c:\setupdiag\results.log Logs ZipFile created at: c:\setupdiag\Logs_14.zip @@ -365,16 +368,42 @@ Each rule name and its associated unique rule identifier are listed with a descr 40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2 - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code. 41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636 - - Matches any plug in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. + - Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code. 42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC - Indicates critical failure in the AdvancedInstaller while running an installer package, includes the .exe being called, the phase, mode, component and error codes. 43. MigrationAbortedDueToPluginFailure - D07A24F6-5B25-474E-B516-A730085940C9 - - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug in name, plug in action and error code. + - Indicates a critical failure in a migration plugin that causes setup to abort the migration. Will provide the setup operation, plug-in name, plug-in action and error code. 44. DISMAddPackageFailed - 6196FF5B-E69E-4117-9EC6-9C1EAB20A3B9 - Indicates a critical failure during a DISM add package operation. Will specify the Package Name, DISM error and add package error code. +45. PlugInComplianceBlock - D912150B-1302-4860-91B5-527907D08960 + - Detects all compat blocks from Server compliance plug-ins. Outputs the block information and remediation. +46. AdvancedInstallerGenericFailure - 4019550D-4CAA-45B0-A222-349C48E86F71 + - Triggers on advanced installer failures in a generic sense, outputting the application called, phase, mode, component and error code. +47. FindMigGatherApplyFailure - A9964E6C-A2A8-45FF-B6B5-25E0BD71428E + - Shows errors when the migration Engine fails out on a gather or apply operation. Indicates the Migration Object (file or registry path), the Migration +48. OptionalComponentFailedToGetOCsFromPackage - D012E2A2-99D8-4A8C-BBB2-088B92083D78 + - Indicates the optional component (OC) migration operation failed to enumerate optional components from an OC Package. Outputs the package name and error code. +49. OptionalComponentOpenPackageFailed - 22952520-EC89-4FBD-94E0-B67DF88347F6 + - Indicates the optional component migration operation failed to open an optional component Package. Outputs the package name and error code. +50. OptionalComponentInitCBSSessionFailed - 63340812-9252-45F3-A0F2-B2A4CA5E9317 + - Indicates corruption in the servicing stack on the down-level system. Outputs the error code encountered while trying to initialize the servicing component on the existing OS. +51. DISMproviderFailure - D76EF86F-B3F8-433F-9EBF-B4411F8141F4 + - Triggers when a DISM provider (plug-in) fails in a critical operation. Outputs the file (plug-in name), function called + error code, and error message from the provider. +52. SysPrepLaunchModuleFailure - 7905655C-F295-45F7-8873-81D6F9149BFD + - Indicates a sysPrep plug-in has failed in a critical operation. Indicates the plug-in name, operation name and error code. +53. UserProvidedDriverInjectionFailure - 2247C48A-7EE3-4037-AFAB-95B92DE1D980 + - A driver provided to setup (via command line input) has failed in some way. Outputs the driver install function and error code. ## Release notes +12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. + - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! + - The FindDownlevelFailure rule is up to 10x faster. + - New rules have been added to analyze failures upgrading to Windows 10 version 1809. + - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. + - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. + - Some functional and output improvements were made for several rules. + 07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. @@ -430,14 +459,14 @@ System Information: Error: SetupDiag reports Optional Component installation failed to open OC Package. Package Name: Foundation, Error: 0x8007001F Recommend you check the "Windows Modules Installer" service (Trusted Installer) is started on the system and set to automatic start, reboot and try the update again. Optionally, you can check the status of optional components on the system (search for Windows Features), uninstall any unneeded optional components, reboot and try the update again. Error: SetupDiag reports down-level failure, Operation: Finalize, Error: 0x8007001F - 0x50015 -Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-error-codes for error information. +Refer to https://docs.microsoft.com/windows/deployment/upgrade/upgrade-error-codes for error information. ``` ### XML log sample ``` - + 1.3.0.0 DiskSpaceBlockInDownLevel 6080AFAC-892E-4903-94EA-7A17E69E549E @@ -480,4 +509,4 @@ Refer to https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-err ## Related topics -[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/en-us/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) \ No newline at end of file +[Resolve Windows 10 upgrade errors: Technical information for IT Pros](https://docs.microsoft.com/windows/deployment/upgrade/resolve-windows-10-upgrade-errors) \ No newline at end of file diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md index c738d3a1cf..afefc6519e 100644 --- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md +++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md @@ -87,8 +87,8 @@ WIM = Windows image (Microsoft) ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md index 57d117aeb9..00d8d41bb4 100644 --- a/windows/deployment/upgrade/upgrade-error-codes.md +++ b/windows/deployment/upgrade/upgrade-error-codes.md @@ -28,7 +28,7 @@ If the upgrade process is not successful, Windows Setup will return two codes: >For example, a result code of **0xC1900101** with an extend code of **0x4000D** will be returned as: **0xC1900101 - 0x4000D**. -Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/en-us/kb/3159635) then only a result code might be returned. +Note: If only a result code is returned, this can be because a tool is being used that was not able to capture the extend code. For example, if you are using the [Windows 10 Upgrade Assistant](https://support.microsoft.com/kb/3159635) then only a result code might be returned. >[!TIP] >If you are unable to locate the result and extend error codes, you can attempt to find these codes using Event Viewer. For more information, see [Windows Error Reporting](windows-error-reporting.md). @@ -54,19 +54,19 @@ Other result codes can be matched to the specific type of error encountered. To 1. Identify the error code type as either Win32 or NTSTATUS using the first hexadecimal digit:
      **8** = Win32 error code (ex: 0x**8**0070070)
      **C** = NTSTATUS value (ex: 0x**C**1900107) -2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/en-us/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/en-us/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. +2. Write down the last 4 digits of the error code (ex: 0x8007**0070** = 0070). These digits are the actual error code type as defined in the [HRESULT](https://msdn.microsoft.com/library/cc231198.aspx) or the [NTSTATUS](https://msdn.microsoft.com/library/cc231200.aspx) structure. Other digits in the code identify things such as the device type that produced the error. 3. Based on the type of error code determined in the first step (Win32 or NTSTATUS), match the 4 digits derived from the second step to either a Win32 error code or NTSTATUS value using the following links: - - [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) - - [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx) + - [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) + - [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) Examples: - 0x80070070 - Based on the "8" this is a Win32 error code - - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/en-us/library/cc231199.aspx) table + - The last four digits are 0070, so look up 0x00000070 in the [Win32 error code](https://msdn.microsoft.com/library/cc231199.aspx) table - The error is: **ERROR_DISK_FULL** - 0xC1900107 - Based on the "C" this is an NTSTATUS error code - - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/en-us/library/cc704588.aspx) table + - The last four digits are 0107, so look up 0x00000107 in the [NTSTATUS value](https://msdn.microsoft.com/library/cc704588.aspx) table - The error is: **STATUS_SOME_NOT_MAPPED** Some result codes are self-explanatory, whereas others are more generic and require further analysis. In the examples shown above, ERROR_DISK_FULL indicates that the hard drive is full and additional room is needed to complete Windows upgrade. The message STATUS_SOME_NOT_MAPPED is more ambiguous, and means that an action is pending. In this case, the action pending is often the cleanup operation from a previous installation attempt, which can be resolved with a system reboot. @@ -149,8 +149,8 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4 ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index 15b27923b6..529808e5c4 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -42,7 +42,7 @@ In order to set the WinHTTP proxy system-wide on your computers, you need to The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3. -If you want to learn more about Proxy considerations on Windows, please take a look at this post in the ieinternals blog +If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/). ### Logged-in user’s Internet connection diff --git a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md index b5f0b2b68b..3aabb7b13b 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md +++ b/windows/deployment/upgrade/upgrade-readiness-deploy-windows.md @@ -1,8 +1,8 @@ --- -title: Upgrade Readiness - Get a list of computers that are upgrade-ready (Windows 10) +title: Upgrade Readiness - Get a list of computers that are upgrade ready (Windows 10) description: Describes how to get a list of computers that are ready to be upgraded in Upgrade Readiness. ms.prod: w10 -author: greg-lindsay +author: jaimeo ms.date: 04/19/2017 --- diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 774f54ce73..5c83f04180 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: jaimeo -ms.date: 05/31/2018 +ms.date: 12/12/2018 --- # Upgrade Readiness deployment script @@ -83,243 +83,69 @@ To run the Upgrade Readiness deployment script: The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. -
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      Exit code and meaningSuggested fix
      0 - SuccessN/A
      1 - Unexpected error occurred while executiEng the script. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again.
      2 - Error when logging to console. $logMode = 0.
      (console only)      		Try changing the $logMode value to **1** and try again.
      $logMode value 1 logs to both console and file.
      3 - Error when logging to console and file. $logMode = 1.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
      4 - Error when logging to file. $logMode = 2.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
      5 - Error when logging to console and file. $logMode = unknown.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
      6 - The commercialID parameter is set to unknown.
      Modify the runConfig.bat file to set the CommercialID value.      		The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. -
      See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace.
      8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection** -
      Verify that the context under which the script in running has access to the registry key.
      9 - The script failed to write Commercial Id to registry. -
      Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection** -       		Verify that the context under which the script in running has access to the registry key.
      10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**Verify that the deployment script is running in a context that has access to the registry key.
      11 - Function **SetupCommercialId** failed with an unexpected exception.The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**
      Verify that the configuration script has access to this location.
      12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings.**Http Get** on the end points did not return a success exit code.
      - For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.
      - For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. -
      If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) -
      13 - Can’t connect to Microsoft - setting. An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. -14
      14 - Can’t connect to Microsoft - compatexchange.An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md).
      15 - Function CheckVortexConnectivity failed with an unexpected exception.This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.
      16 - The computer requires a reboot before running the script.A reboot is required to complete the installation of the compatibility update and related KBs. Reboot the computer before running the Upgrade Readiness deployment script.
      17 - Function **CheckRebootRequired** failed with an unexpected exception.A reboot is required to complete installation of the compatibility update and related KBs. Check the logs for the exception message and the HResult.
      18 - Appraiser KBs not installed or **appraiser.dll** not found.Either the Appraiser KBs are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic.
      19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception.Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed.
      20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT -\CurrentVersion\AppCompatFlags\Appraiser** The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key.
      21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception.Check the logs for the exception message and HResult.
      22 - **RunAppraiser** failed with unexpected exception.Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file.
      23 - Error finding system variable **%WINDIR%**.Verify that this environment variable is configured on the computer.
      24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult.
      25 - The function **SetIEDataOptIn** failed with unexpected exception.Check the logs for the exception message and HResult.
      27 - The script is not running under **System** account.The Upgrade Readiness configuration script must be run as **System**.
      28 - Could not create log file at the specified **logPath**. Make sure the deployment script has access to the location specified in the **logPath** parameter.
      29 - Connectivity check failed for proxy authentication. Instal cumulative updates on the computer and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. -
      The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. -
      For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). -
      For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688).
      30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled.The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7. -
      For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). -
      For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
      31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use the Windows Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled to run daily at 3 a.m.
      32 - Appraiser version on the machine is outdated. The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1.
      33 - **CompatTelRunner.exe** exited with an exit code **CompatTelRunner.exe** runs the appraise task on the machine. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow.
      34 - Function **CheckProxySettings** failed with an unexpected exception. Check the logs for the exception message and HResult.>
      35 - Function **CheckAuthProxy** failed with an unexpected exception.Check the logs for the exception message and HResult.
      36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception.Check the logs for the exception message and HResult.
      37 - **Diagnose_internal.cmd** failed with an unexpected exception.Check the logs for the exception message and HResult.
      38 - Function **Get-SqmID** failed with an unexpected exception. Check the logs for the exception message and HResult.
      39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection** - or **HKLM:\SOFTWARE\Microsoft\Windows -\CurrentVersion\Policies\DataCollection**For Windows 10 machines, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will throw an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization).
      40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. Check the logs for the exception message and HResult.
      41 - The script failed to impersonate the currently logged on user. The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the logged on user. The script also tries to mimic this, but the process failed.
      42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. Check the logs for the exception message and HResult.
      43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception.Check the logs for the exception message and HResult.
      44 - Diagtrack.dll version is old, so Auth Proxy will not work.Update the PC using Windows Update/Windows Server Update Services.
      45 - Diagrack.dll was not found.Update the PC using Windows Update/Windows Server Update Services.
      46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work.Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**.
      47 - **TelemetryProxyServer** is not present in key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**.**ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**.
      48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
      50 - Diagtrack Service is not running.Diagtrack Service is required to send data to Microsoft. Enable and run the 'Connected User Experiences and Telemetry' service.
      51 - RunCensus failed with an unexpected exception.RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details.
      52 - DeviceCensus.exe not found on a Windows 10 machine.On computers running Windows 10, the process devicecensus.exe should be present in the \system32 folder. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location.
      53 - There is a different CommercialID present at the GPO path:  **HKLM:\SOFTWARE\Policies\Microsoft -\Windows\DataCollection**. This will take precedence over the CommercialID provided in the script.Provide the correct CommercialID at the GPO location.
      -
      +| Exit code | Suggested fix | +|-----------|--------------| +| 0 - Success | N/A | +| 1 - Unexpected error occurred while executing the script. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966) from the download center and try again. | +| 2 - Error when logging to console. $logMode = 0. (console only) | Try changing the $logMode value to **1** and try again. $logMode value 1 logs to both console and file. | +| 3 - Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 4 - Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 5 - Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. | +| 6 - The commercialID parameter is set to unknown. | Modify the runConfig.bat file to set the CommercialID value. The value for parameter in the runconfig.bat file should match the Commercial ID key for your workspace. See [Generate your Commercial ID key](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#generate-your-commercial-id-key) for instructions on generating a Commercial ID key for your workspace. | +| 8 - Failure to create registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection**. The Commercial Id property is set at the following registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. | +| 9 - The script failed to write Commercial Id to registry. +Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the context under which the script in running has access to the registry key. | +| 10 - Error when writing **CommercialDataOptIn** to the registry at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the deployment script is running in a context that has access to the registry key. | +| 11 - Function **SetupCommercialId** failed with an unexpected exception. The **SetupCommercialId** function updates the Commercial Id at the registry key path: **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | Verify that the configuration script has access to this location. | +| 12 - Can’t connect to Microsoft - Vortex. Check your network/proxy settings. | **Http Get** on the end points did not return a success exit code. For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive. For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive. If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md) | +| 13 - Can’t connect to Microsoft - setting. | An error occurred connecting to https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. | +| 14 - Can’t connect to Microsoft - compatexchange. An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). | +| 15 - Function CheckVortexConnectivity failed with an unexpected exception. | This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult. | +| 16 - The computer requires a reboot before running the script. | Restart the device to complete the installation of the compatibility update and related updates. Reboot the computer before running the Upgrade Readiness deployment script. | +| 17 - Function **CheckRebootRequired** failed with an unexpected exception. | Restart the device to complete installation of the compatibility update and related updates. Check the logs for the exception message and the HResult. | +|18 - Appraiser KBs not installed or **appraiser.dll** not found. | Either the Appraiser-related updates are not installed, or the **appraiser.dll** file was not found. For more information, see appraiser diagnostic data events and fields information in the [Data collection](https://technet.microsoft.com/itpro/windows/deploy/upgrade-readiness-get-started#data-collection-and-privacy) and privacy topic. | +| 19 - Function **CheckAppraiserKB**, which checks the compatibility update KBs, failed with unexpected exception. | Check the logs for the Exception message and HResult. The script will not run further if this error is not fixed. | +| 20 - An error occurred when creating or updating the registry key **RequestAllAppraiserVersions** at **HKLM:\SOFTWARE\Microsoft\WindowsNT \CurrentVersion\AppCompatFlags\Appraiser** | The registry key is required for data collection to work correctly. Verify that the script is running in a context that has access to the registry key. | +| 21 - Function **SetRequestAllAppraiserVersions** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 22 - **RunAppraiser** failed with unexpected exception. | Check the logs for the exception message and HResult. Check the **%windir%\System32** directory for the file **CompatTelRunner.exe**. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization's Group Policy to verify it does not remove this file. | +| 23 - Error finding system variable **%WINDIR%**. | Verify that this environment variable is configured on the computer. | +| 24 - The script failed when writing **IEDataOptIn** to the registry. An error occurred when creating registry key **IEOptInLevel** at **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | This is a required registry key for IE data collection to work correctly. Verify that the deployment script in running in a context that has access to the registry key. Check the logs for the exception message and HResult. | +| 25 - The function **SetIEDataOptIn** failed with unexpected exception. | Check the logs for the exception message and HResult. | +| 27 - The script is not running under **System** account. | The Upgrade Readiness configuration script must be run as **System**. | +| 28 - Could not create log file at the specified **logPath**. | Make sure the deployment script has access to the location specified in the **logPath** parameter. | +| 29 - Connectivity check failed for proxy authentication. | Install cumulative updates on the device and enable the **DisableEnterpriseAuthProxy** authentication proxy setting. The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [Authentication proxy support added in new version (12.28.16) of the Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?linkid=838688). | +| 30 - Connectivity check failed. Registry key property **DisableEnterpriseAuthProxy** is not enabled. | The **DisableEnterpriseAuthProxy** setting is enabled by default for Windows 7\. For Windows 8.1 computers, set the **DisableEnterpriseAuthProxy** setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). | +| 31 - There is more than one instance of the Upgrade Readiness data collector running at the same time on this computer. Use Task Manager to check if **CompatTelRunner.exe** is running, and wait until it has completed to rerun the script. The Upgrade Readiness task is scheduled by default to run daily at 0300. | +| 32 - Appraiser version on the machine is outdated. | The configuration script detected a version of the compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Readiness solution. Use the latest version of the [compatibility update](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#deploy-the-compatibility-update-and-related-updates) for Windows 7 SP1/Windows 8.1. | +| 33 - **CompatTelRunner.exe** exited with an exit code | **CompatTelRunner.exe** runs the appraise task on the device. If it fails, it will provide a specific exit code. The script will return exit code 33 when **CompatTelRunner.exe** itself exits with an exit code. Check the logs for more details. Also see the **Note** following this table for additional steps to follow. | +| 34 - Function **CheckProxySettings** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 35 - Function **CheckAuthProxy** failed with an unexpected exception. Check the logs for the exception message and HResult. | +| 36 - Function **CheckAppraiserEndPointsConnectivity** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 37 - **Diagnose_internal.cmd** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 38 - Function **Get-SqmID** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 39 - For Windows 10: AllowTelemetry property is not set to 1 or higher at registry key path **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection** or **HKLM:\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\DataCollection** | For Windows 10 devices, the **AllowTelemetry** property should be set to 1 or greater to enable data collection. The script will return an error if this is not true. For more information, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). | +| 40 - Function **CheckTelemetryOptIn** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 41 - The script failed to impersonate the currently logged on user. | The script mimics the UTC client to collect upgrade readiness data. When auth proxy is set, the UTC client impersonates the user that is logged on. The script also tries to mimic this, but the process failed. | +| 42 - Function **StartImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. | Check the logs for the exception message and HResult. | +| 44 - Diagtrack.dll version is old, so Auth Proxy will not work. | Update the device using Windows Update or Windows Server Update Services. | +| 45 - Diagrack.dll was not found. | Update the device using Windows Update or Windows Server Update Services. | +| 48 - **CommercialID** mentioned in RunConfig.bat should be a GUID. | Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**. | +| 50 - Diagtrack Service is not running. | The Diagtrack service is required to send data to Microsoft. Enable and run the "Connected User Experiences and Telemetry" service. | +| 51 - RunCensus failed with an unexpected exception. | RunCensus explitly runs the process used to collect device information. The method failed with an unexpected exception. Check the ExceptionHResult and ExceptionMessage for more details. | +| 52 - DeviceCensus.exe not found on a Windows 10 machine. | On computers running Windows 10, the process devicecensus.exe should be present in the \system32 directory. Error code 52 is returned if the process was not found. Ensure that it exists at the specified location. | +| 53 - There is a different CommercialID present at the GPO path: **HKLM:\SOFTWARE\Policies\Microsoft \Windows\DataCollection**. This will take precedence over the CommercialID provided in the script. | Provide the correct CommercialID at the GPO location. | +| 54 - Microsoft Account Sign In Assistant Service is Disabled. | This service is required for devices running Windows 10. The diagnostic data client relies on the Microsoft Account Sign In Assistant (MSA) to get the Global Device ID for the device. Without the MSA service running, the global device ID will not be generated and sent by the client. | +| 55 - SetDeviceNameOptIn function failed to create registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | The function SetDeviceNameOptIn sets the registry key value which determines whether to send the device name in diagnostic data. The function tries to create the registry key path if it does not already exist. Verify that the account has the correct permissions to change or add registry keys. | +| 56 - SetDeviceNameOptIn function failed to create property AllowDeviceNameInTelemetry at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys.| +| 57 - SetDeviceNameOptIn function failed to update AllowDeviceNameInTelemetry property to value 1 at registry key path: **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** | Verify that the account has the correct permissions to change or add registry keys. | +| 58 - SetDeviceNameOptIn function failed with unexpected exception | The function SetDeviceNameOptIn failed with an unexpected exception. | +| 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. | +| 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. | +| 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. | + + + >[!NOTE] diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 3c18dab043..35d32c83e9 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 08/21/2018 +ms.date: 10/10/2018 ms.localizationpriority: medium --- @@ -38,32 +38,38 @@ When you are ready to begin using Upgrade Readiness, perform the following steps To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. -## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics +## Add the Upgrade Readiness solution to your Azure subscription -Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps: ->[!IMPORTANT] ->Upgrade Readiness is a free solution for Azure subscribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. The Upgrade Readiness service will ingest a full snapshot of your data into your OMS workspace on a daily basis. Each snapshot includes all of your devices that have been active within the past 30 days regardless of your OMS retention period. +1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal. + + >[!NOTE] + > Upgrade Readiness is included at no additional cost with Windows 10 Professional, Education, and Enterprise editions. An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness. -If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. +2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution. + ![Azure portal page highlighting + Create a resource and with Upgrade Readiness selected](../images/UR-Azureportal1.png) ->[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace. - -If you are not using OMS or Azure Log Analytics: - -1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. -3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. -4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. - - > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. - -5. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness. + ![Azure portal showing Upgrade Readiness fly-in and Create button highlighted(images/CreateSolution-Part2-Create.png)](../images/UR-Azureportal2.png) +3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution. + ![Azure portal showing Log Analytics workspace fly-in](../images/UR-Azureportal3.png) + - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace. + - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started: + - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*. + - For the resource group setting select **Create new** and use the same name you chose for your new workspace. + - For the location setting, choose the Azure region where you would prefer the data to be stored. + - For the pricing tier select **Free**. +4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**. + ![Azure portal showing workspace selected and with Create button highlighted](../images/UR-Azureportal4.png) +5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear. + ![Azure portal all services page with Log Analytics found and selected as favorite](../images/CreateSolution-Part5-GoToResource.png) + - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution. + - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour. ## Enroll devices in Windows Analytics -Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). + +Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started). diff --git a/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md new file mode 100644 index 0000000000..be3d2aee32 --- /dev/null +++ b/windows/deployment/upgrade/upgrade-readiness-monitor-deployment.md @@ -0,0 +1,48 @@ +--- +title: Monitor deployment with Upgrade Readiness +description: Describes how to use Upgrade Readiness to monitor the deployment after Windows upgrades. +keywords: windows analytics, oms, operations management suite, prerequisites, requirements, upgrades, log analytics, +ms.localizationpriority: medium +ms.prod: w10 +author: jaimeo +ms.author: jaimeo +ms.date: 11/07/2018 +--- + +# Upgrade Readiness - Step 4: Monitor + +Now that you have started deploying an update with Upgrade Readiness, you can use it to monitor important elements. + +![Upgrade Readiness dialog showing "STEP 4: Monitor" and blades for "Update progress," "Driver issues," and "User feedback"](../images/UR-monitor-main.png) + + +## Update progress + +The **Update progress** blade allows you to monitor the progress and status of your deployment. Any device that has attepted to upgrade in the last 30 days displays the **DeploymentStatus** attribute. You'll be able to see the number of computers that have successfully upgraded, failed to upgrade, are stalled, etc. + + +Selecting this blade allows you to view device-level details about the deployment. For example, select **Failed** to view the original operating system version, the target operating system version, and the reason the update failed for each of the devices that failed to upgrade. In the case of the device illustrated in the following image, an attempt was made to upgrade from Windows 10, version 1703 to 1709, but the operation timed out. + +!["Update progress" blade showing detailed information after selecting the "failed" item](../images/UR-update-progress-failed-detail.png) + + +## Driver issues + +The **Driver issues** blade allows you to see Device Manager errors for your upgraded devices. We include data for all compatibility-related device errors, such as "driver not found" and "driver not started." The blade summarizes errors by error type, but you can select a particular error type to see device-level details about which device(s) are failing and where to obtain a driver. + + +For example, by selecting error code **28 - driver not installed**, you would see that the device in the following image is missing the driver for a network controller. Upgrade Readiness also notifies that a suitable driver is available online through Windows Update. If this device is configured to automatically receive updates from Windows Update, this issue would likely resolve itself following the device's next Windows Update scan. If this device does not automatically receive updates from Windows Update, you would need to deliver the driver manually. + +!["Driver issue" blade showing detailed information after selecting a specific driver error](../images/UR-driver-issue-detail.png) + +## User feedback + +The **User Feedback** blade focuses on gathering subjective feedback from your end users. If a user submits feedback through the Feedback Hub app on a device in your workspace, we will make that feedback visible to you in this blade. The Feedback Hub app is built into Windows 10 and can be accessed by typing "Feedback Hub" in the Cortana search bar. + + +We recommend that you encourage your end users to submit any feedback they have through Feedback Hub. Not only will this feedback be sent directly to Microsoft for review, but you'll also be able to see it by using Upgrade Readiness. You should be aware that **feedback submitted through Feedback Hub will be publicly visible**, so it's best to avoid submitting feedback about internal line-of-business applications. + +When viewing user feedback in Upgrade Readiness, you'll be able to see the raw "Title" and "Feedback" text from the user's submission in Feedback Hub, as well as the number of upvotes the submission has received. (Since feedback is publicly visible, the number of upvotes is a global value and not specific to your company.) If a Microsoft engineer has responded to the submission in Feedback Hub, we'll pull in the Microsoft response for you to see as well. + +![Example user feedback item](../images/UR-example-feedback.png) + \ No newline at end of file diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index b1d5d0463a..03b001c31f 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -38,7 +38,7 @@ While Upgrade Readiness can be used to assist with updating devices from Windows ## Operations Management Suite or Azure Log Analytics -Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). +Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premises and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md index 8bc47524c0..bef52aab7a 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-system-center-configuraton-manager.md @@ -22,7 +22,7 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi ## Proof-of-concept environment -For the purposes of this topic, we will use four machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a Windows Server 2012 R2 standard machine, fully patched with the latest security updates, and configured as a member server in the fictional contoso.com domain. PC0003 is a machine with Windows 7 SP1, targeted for the Windows 10 upgrade. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). ![figure 1](../images/upgrademdt-fig1-machines.png) diff --git a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md index 596c5c9540..d6cdab7ce2 100644 --- a/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/upgrade/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md @@ -66,7 +66,7 @@ Figure 2. The imported Windows 10 operating system after you rename it. - Task sequence ID: W10-X64-UPG - Task sequence name: Windows 10 Enterprise x64 RTM Upgrade - Template: Standard Client Upgrade Task Sequence - - Select OS: Windows 10 Enterprise x64 RTM RTM Default Image + - Select OS: Windows 10 Enterprise x64 RTM Default Image - Specify Product Key: Do not specify a product key at this time - Full Name: Contoso - Organization: Contoso @@ -103,4 +103,4 @@ After the task sequence completes, the computer will be fully upgraded to Window [Windows 10 deployment scenarios](../windows-10-deployment-scenarios.md) [Microsoft Deployment Toolkit downloads and resources](https://go.microsoft.com/fwlink/p/?LinkId=618117) -  \ No newline at end of file +  diff --git a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md index 9677c6128d..8c687c4309 100644 --- a/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md +++ b/windows/deployment/upgrade/upgrade-windows-phone-8-1-to-10.md @@ -22,7 +22,7 @@ This article describes how to upgrade eligible Windows Phone 8.1 devices to Wind The Windows Phone 8.1 to Windows 10 Mobile upgrade uses an "opt-in" or "seeker" model. An eligible device must opt-in to be offered the upgrade. For consumers, the Windows 10 Mobile Upgrade Advisor app is available from the Windows Store to perform the opt-in. For Enterprises, Microsoft is offering a centralized management solution through MDM that can push a management policy to each eligible device to perform the opt-in. -If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. +If you use a list of allowed applications (app whitelisting) with MDM, verify that system applications are whitelisted before you upgrade to Windows 10 Mobile. Also, be aware that there are [known issues](https://msdn.microsoft.com/library/windows/hardware/mt299056.aspx#whitelist) with app whitelisting that could adversely affect the device after you upgrade. Some enterprises might want to control the availability of the Windows 10 Mobile upgrade to their users. With the opt-in model, the enterprise can blacklist the Upgrade Advisor app to prevent their users from upgrading prematurely. For more information about how to blacklist the Upgrade Advisor app, see the [How to blacklist the Upgrade Advisor app](#howto-blacklist) section in this article. Enterprises that have blacklisted the Upgrade Advisor app can use the solution described in this article to select the upgrade timing on a per-device basis. @@ -97,7 +97,7 @@ Some enterprises may want to block their users from installing the Windows 10 Mo http://windowsphone.com/s?appid=fbe47e4f-7769-4103-910e-dca8c43e0b07 -For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/en-us/windows/dn771706.aspx). +For more information about how to do this, see [Try it out: restrict Windows Phone 8.1 apps](https://technet.microsoft.com/windows/dn771706.aspx). ## Related topics diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index 450da4c243..e9b94e674c 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -8,7 +8,7 @@ ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 07/06/2018 +ms.date: 10/25/2018 --- # Windows 10 edition upgrade @@ -24,6 +24,8 @@ For a list of operating systems that qualify for the Windows 10 Pro Upgrade or W The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607. +Note: Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](https://docs.microsoft.com/sccm/compliance/deploy-use/upgrade-windows-version) in System Center Configuratio Manager. + ![not supported](../images/x_blk.png) (X) = not supported
      ![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required
      ![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required
      @@ -64,7 +66,7 @@ X = unsupported
      > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md) > - Each desktop edition in the table also has an N and KN SKU. These editions have had media-related functionality removed. Devices with N or KN SKUs installed can be upgraded to corresponding N or KN SKUs using the same methods. >
      -> - Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. +> - Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes) the term LTSB might still be displayed in some products. This name will change to LTSC with subsequent feature updates. ## Upgrade using mobile device management (MDM) - To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](https://go.microsoft.com/fwlink/p/?LinkID=690907). @@ -79,8 +81,8 @@ Use Windows Configuration Designer to create a provisioning package to upgrade a - To create a provisioning package for upgrading mobile editions of Windows 10, go to **Runtime settings > EditionUpgrade > UpgradeEditionWithLicense** in the **Available customizations** panel in Windows ICD and enter the product key for the upgraded edition. For more info about Windows Configuration Designer, see these topics: -- [Create a provisioining package for Windows 10](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package) -- [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package) +- [Create a provisioining package for Windows 10](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-create-package) +- [Apply a provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-apply-package) ## Upgrade using a command-line tool @@ -88,7 +90,7 @@ You can run the changepk.exe command-line tool to upgrade devices to a supported `changepk.exe /ProductKey ` -You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. +You can also upgrade using slmgr.vbs and a [KMS client setup key](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v%3dws.11)). For example, the following command will upgrade to Windows 10 Enterprise. `Cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43` @@ -134,7 +136,7 @@ Downgrading from Enterprise - Upgrade edition: **Enterprise** - Valid downgrade paths: **Pro, Pro for Workstations, Pro Education, Education** -You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supercede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). +You can move directly from Enterprise to any valid destination edition. In this example, downgrading to Pro for Workstations, Pro Education, or Education requires an additional activation key to supersede the firmware-embedded Pro key. In all cases, you must comply with [Microsoft License Terms](https://www.microsoft.com/useterms). If you are a volume license customer, refer to the [Microsoft Volume Licensing Reference Guide](https://www.microsoft.com/en-us/download/details.aspx?id=11091). ### Supported Windows 10 downgrade paths @@ -233,7 +235,7 @@ You can move directly from Enterprise to any valid destination edition. In this ->**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. >**Windows N/KN**: Windows "N" and "KN" SKUs follow the same rules shown above. @@ -243,4 +245,4 @@ Some slightly more complex scenarios are not represented by the table above. For [Windows 10 upgrade paths](https://docs.microsoft.com/windows/deployment/upgrade/windows-10-upgrade-paths)
      [Windows 10 volume license media](https://docs.microsoft.com/windows/deployment/windows-10-media)
      -[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) \ No newline at end of file +[Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 166c96a39c..c4d8887279 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -22,7 +22,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can >**Windows 10 version upgrade**: You can directly upgrade a supported version of Windows 10 to a newer version of Windows 10, even if it involves skipping versions. Work with your account representative if your current version of Windows is out of support. See the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) for availability and service information. ->**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/en-us/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. +>**Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. >In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md index d351df198f..00ad7ccbf0 100644 --- a/windows/deployment/upgrade/windows-error-reporting.md +++ b/windows/deployment/upgrade/windows-error-reporting.md @@ -59,8 +59,8 @@ The event will also contain links to log files that can be used to perform a det ## Related topics -[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/en-us/windows/dn798755.aspx) -
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/en-us/windows/dn798752.aspx) +[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx) +
      [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
      [Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
      [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
      [Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821) diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index c62c65555b..ebb0b5998f 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -52,7 +52,7 @@ To enable KMS functionality, a KMS key is installed on a KMS host; then, the hos For more information, see the information for Windows 7 in [Deploy KMS Activation](https://go.microsoft.com/fwlink/p/?LinkId=717032). ## Key Management Service in Windows Server 2012 R2 -Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Sever 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. +Installing a KMS host key on a computer running Windows Server allows you to activate computers running Windows Server 2012 R2, Windows Server 2008 R2, Windows Server 2008, Windows 10, Windows 8.1, Windows 7, and Windows Vista. **Note**   You cannot install a client KMS key into the KMS in Windows Server. diff --git a/windows/deployment/volume-activation/active-directory-based-activation-overview.md b/windows/deployment/volume-activation/active-directory-based-activation-overview.md index e64be6f39d..80c66dec36 100644 --- a/windows/deployment/volume-activation/active-directory-based-activation-overview.md +++ b/windows/deployment/volume-activation/active-directory-based-activation-overview.md @@ -7,18 +7,29 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation author: greg-lindsay -ms.date: 04/19/2017 +ms.date: 12/07/2018 --- -# Active Directory-Based Activation Overview +# Active Directory-Based Activation overview Active Directory-Based Activation (ADBA) enables enterprises to activate computers through a connection to their domain. Many companies have computers at offsite locations that use products that are registered to the company. Previously these computers needed to either use a retail key or a Multiple Activation Key (MAK), or physically connect to the network in order to activate their products by using Key Management Services (KMS). ADBA provides a way to activate these products if the computers can join the company’s domain. When the user joins their computer to the domain, the ADBA object automatically activates Windows installed on their computer, as long as the computer has a Generic Volume License Key (GVLK) installed. No single physical computer is required to act as the activation object, because it is distributed throughout the domain. -## Active Directory-Based Activation Scenarios +## ADBA scenarios -VAMT enables IT Professionals to manage and activate the Active Directory-Based Activation object. Activation can be performed by using a scenario such as the following: -- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the Active Directory-Based Activation Object a name. -- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the Active Directory-Based Activation Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. +You might use ADBA if you only want to activate domain joined devices. + +If you have a server hosting the KMS service, it can be necessary to reactivate licenses if the server is replaced with a new host. This is not necessary When ADBA is used. + +ADBA can also make load balancing easier when multiple KMS servers are present since the client can connect to any domain controller. This is simpler than using the DNS service to load balance by configuring priority and weight values. + +Some VDI solutions also require that new clients activate during creation before they are added to the pool. In this scenario, ADBA can eliminate potential VDI issues that might arise due to a KMS outage. + + +## ADBA methods + +VAMT enables IT Professionals to manage and activate the ADBA object. Activation can be performed using the following methods: +- Online activation: To activate an ADBA forest online, the user selects the **Online activate forest** function, selects a KMS Host key (CSVLK) to use, and gives the ADBA Object a name. +- Proxy activation: For a proxy activation, the user first selects the **Proxy activate forest** function, selects a KMS Host key (CSVLK) to use, gives the ADBA Object a name, and provides a file name to save the CILx file that contains the Installation ID. Next, the user takes that file to a computer that is running VAMT with an Internet connection and then selects the **Acquire confirmation IDs for CILX** function on the VAMT landing page, and provides the original CILx file. When VAMT has loaded the Confirmation IDs into the original CILx file, the user takes this file back to the original VAMT instance, where the user completes the proxy activation process by selecting the **Apply confirmation ID to Active Directory domain** function. ## Related topics diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md index 9a44885b94..684ee94aa7 100644 --- a/windows/deployment/windows-10-deployment-scenarios.md +++ b/windows/deployment/windows-10-deployment-scenarios.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library -ms.date: 04/03/2018 +ms.date: 11/06/2018 author: greg-lindsay --- @@ -19,9 +19,9 @@ author: greg-lindsay To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task. The following table summarizes various Windows 10 deployment scenarios. The scenarios are each assigned to one of three categories. -- Modern deployment methods are recommended unless you have a specific need to use a different procedure. +- Modern deployment methods are recommended unless you have a specific need to use a different procedure. These methods are supported with existing tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager. These methods are discussed in detail on the [Modern Desktop Deployment Center](https://docs.microsoft.com/microsoft-365/enterprise/desktop-deployment-center-home). - Dynamic deployment methods enable you to configure applications and settings for specific use cases. -- Traditional deployment methods use tools such as Microsoft Deployment Toolkit (MDT) and System Center Configuration Manager.
        +- Traditional deployment methods use existing tools to deploy operating system images.
        @@ -36,7 +36,7 @@ The following table summarizes various Windows 10 deployment scenarios. The scen Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured. @@ -147,7 +147,7 @@ Modern deployment methods embrace both traditional on-prem and cloud services to Windows Autopilot is a new suite of capabilities designed to simplify and modernize the deployment and management of new Windows 10 PCs. Windows Autopilot enables IT professionals to customize the Out of Box Experience (OOBE) for Windows 10 PCs and provide end users with a fully configured new Windows 10 device after just a few clicks. There are no images to deploy, no drivers to inject, and no infrastructure to manage. Users can go through the deployment process independently, without the need consult their IT administrator. -For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/en-us/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). +For more information about Windows Autopilot, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot) and [Modernizing Windows deployment with Windows Autopilot](https://blogs.technet.microsoft.com/windowsitpro/2017/06/29/modernizing-windows-deployment-with-windows-autopilot/). ### In-place upgrade @@ -161,11 +161,11 @@ Because existing applications are preserved through the process, the upgrade pro Scenarios that support in-place upgrade with some additional procedures include changing from BIOS to UEFI boot mode and upgrade of devices that use non-Microsoft disk encryption software. -- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. +- **Legacy BIOS to UEFI booting**: To perform an in-place upgrade on a UEFI-capable system that currently boots using legacy BIOS, first perform the in-place upgrade to Windows 10, maintaining the legacy BIOS boot mode. Windows 10 does not require UEFI, so it will work fine to upgrade a system using legacy BIOS emulation. After the upgrade, if you wish to enable Windows 10 features that require UEFI (such as Secure Boot), you can convert the system disk to a format that supports UEFI boot using the [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) tool. Note: [UEFI specification](http://www.uefi.org/specifications) requires GPT disk layout. After the disk has been converted, you must also configure the firmware to boot in UEFI mode. - **Non-Microsoft disk encryption software**: While devices encrypted with BitLocker can easily be upgraded, more work is necessary for non-Microsoft disk encryption tools. Some ISVs will provide instructions on how to integrate their software into the in-place upgrade process. Check with your ISV to see if they have instructions. The following articles provide details on how to provision encryption drivers for use during Windows Setup via the ReflectDrivers setting: - - [Windows Setup Automation Overview](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-automation-overview) - - [Windows Setup Command-Line Options](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options) + - [Windows Setup Automation Overview](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-automation-overview) + - [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options) There are some situations where you cannot use in-place upgrade; in these situations, you can use traditional deployment (wipe-and-load) instead. Examples of these situations include: @@ -183,12 +183,12 @@ The goal of dynamic provisioning is to take a new PC out of the box, turn it on, ### Windows 10 Subscription Activation -Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation). +Windows 10 Subscription Activation is a modern deployment method that enables you to change the SKU from Pro to Enterprise with no keys and no reboots. For more information about Subscription Activation, see [Windows 10 Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation). ### Azure Active Directory (AAD) join with automatic mobile device management (MDM) enrollment -In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm). +In this scenario, the organization member just needs to provide their work or school user ID and password; the device can then be automatically joined to Azure Active Directory and enrolled in a mobile device management (MDM) solution with no additional user interaction. Once done, the MDM solution can finish configuring the device as needed. For more information, see [Azure Active Directory integration with MDM](https://docs.microsoft.com/windows/client-management/mdm/azure-active-directory-integration-with-mdm). ### Provisioning package configuration diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md index 7d3667d5c6..950c8553a1 100644 --- a/windows/deployment/windows-10-enterprise-e3-overview.md +++ b/windows/deployment/windows-10-enterprise-e3-overview.md @@ -248,6 +248,6 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f ## Related topics [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) -
      [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/) +
      [Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
      [Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
      [Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 4cba541195..7942cf6e89 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -20,7 +20,7 @@ With Windows 10 version 1703 (also known as the Creator’s Update), both Window - Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. - Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. -Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-whatis). +Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis). See the following topics in this article: - [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. @@ -151,7 +151,7 @@ changepk.exe /ProductKey %ProductKey% ### Obtaining an Azure AD licence Enterprise Agreement/Software Assurance (EA/SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/en-us/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea). - The license administrator can assign seats to Azure AD users with the same process that is used for O365. - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. @@ -172,6 +172,6 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr ## Related topics -[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-devices-group-policy/) +[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)
      [Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)
      [Windows for business](https://www.microsoft.com/en-us/windowsforbusiness/default.aspx) diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md index 5c76526147..23489fb3dd 100644 --- a/windows/deployment/windows-10-media.md +++ b/windows/deployment/windows-10-media.md @@ -25,7 +25,7 @@ To download Windows 10 installation media from the VLSC, use the product search When you select a product, for example “Windows 10 Enterprise” or “Windows 10 Education”, you can then choose the specific release by clicking **Download** and choosing the **Download Method**, **Language**, and **Operating system Type** (bitness). ->If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/en-us/windows/release-info.aspx). +>If you do not see a Windows 10 release available in the list of downloads, verify the [release date](https://technet.microsoft.com/windows/release-info.aspx). In Windows 10, version 1709 the packaging of volume licensing media and upgrade packages is different than it has been for previous releases. Instead of having separate media and packages for Windows 10 Pro (volume licensing version), Windows 10 Enterprise, and Windows 10 Education, all three are bundled together. The following section explains this change. @@ -75,7 +75,7 @@ Features on demand is a method for adding features to your Windows 10 image that [Microsoft Volume Licensing Service Center (VLSC) User Guide](https://www.microsoft.com/en-us/download/details.aspx?id=10585)
      [Volume Activation for Windows 10](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-windows-10) -
      [Plan for volume activation](https://docs.microsoft.com/en-us/windows/deployment/volume-activation/plan-for-volume-activation-client) +
      [Plan for volume activation](https://docs.microsoft.com/windows/deployment/volume-activation/plan-for-volume-activation-client)
      [VLSC downloads FAQ](https://www.microsoft.com/Licensing/servicecenter/Help/FAQDetails.aspx?id=150)
      [Download and burn an ISO file on the volume licensing site (VLSC)](https://support.microsoft.com/help/2472143/download-and-burn-an-iso-file-on-the-volume-licensing-site-vlsc) diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md index c6276915b7..789488af22 100644 --- a/windows/deployment/windows-10-poc-mdt.md +++ b/windows/deployment/windows-10-poc-mdt.md @@ -123,7 +123,7 @@ A reference image serves as the foundation for Windows 10 devices in your organi - Progress: wait for files to be copied - Confirmation: click **Finish** - >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/en-us/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. + >For purposes of this test lab, we will only add the prerequisite .NET Framework feature. Commerical applications (ex: Microsoft Office) will not be added to the deployment share. For information about adding applications, see the [Add applications](https://technet.microsoft.com/itpro/windows/deploy/create-a-windows-10-reference-image#sec03) section of the [Create a Windows 10 reference image](deploy-windows-mdt/create-a-windows-10-reference-image.md) topic in the TechNet library. 11. The next step is to create a task sequence to reference the operating system that was imported. To create a task sequence, right-click the **Task Sequences** node and then click **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: - Task sequence ID: **REFW10X64-001**
      @@ -640,7 +640,7 @@ Also see [Resolve Windows 10 upgrade errors](upgrade/resolve-windows-10-upgrade- ## Related Topics -[Microsoft Deployment Toolkit](https://technet.microsoft.com/en-US/windows/dn475741)
      +[Microsoft Deployment Toolkit](https://technet.microsoft.com/windows/dn475741)
      [Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)   diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 2a6a86ea3d..804e016464 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -212,7 +212,7 @@ Topics and procedures in this guide are summarized in the following table. An es >This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/). >If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](https://blogs.msdn.microsoft.com/zainnab/2011/03/14/bizspark-free-msdn-subscription-for-start-up-companies/). -1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/en-us/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. +1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host. 2. Type the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1: @@ -382,7 +382,7 @@ WDSUTIL /Set-Server /AnswerClients:None In the trace tool, click **Tools** on the menu and choose **Find**. Search for "**STATMSG: ID=2301**". For example: ``` - STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=2476 TID=4636 GMTDATE=Wed Sep 14 22:11:09.363 2016 ISTR0="Configuration Manager Client Upgrade Package" ISTR1="PS100003" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS100003" SMS_DISTRIBUTION_MANAGER 9/14/2016 3:11:09 PM 4636 (0x121C) + STATMSG: ID=2301 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_DISTRIBUTION_MANAGER" SYS=SRV1.CONTOSO.COM SITE=PS1 PID=924 TID=1424 GMTDATE=Tue Oct 09 22:36:30.986 2018 ISTR0="Zero Touch WinPE x64" ISTR1="PS10000A" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=1 AID0=400 AVAL0="PS10000A" SMS_DISTRIBUTION_MANAGER 10/9/2018 3:36:30 PM 1424 (0x0590) ``` 11. You can also review status by clicking the **Zero Touch WinPE x64** image, and then clicking **Content Status** under **Related Objects** in the bottom right-hand corner of the console, or by entering **\Monitoring\Overview\Distribution Status\Content Status** on the location bar in the console. Double-click **Zero Touch WinPE x64** under **Content Status** in the console tree and verify that a status of **Successfully distributed content** is displayed on the **Success** tab. diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 0cfd6991e5..27aa69d26a 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -182,7 +182,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/en-us/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/en-us/sysinternals/cc835722) utility and run it, as shown in the following example: + You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: 
           C:\>coreinfo -v
@@ -430,7 +430,7 @@ Notes:
      
 
 #### Prepare a generation 1 VM
 
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
 
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
@@ -454,7 +454,7 @@ Notes:
      
 
 #### Prepare a generation 2 VM
 
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
 
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
@@ -487,7 +487,7 @@ Notes:
      
 
 #### Prepare a generation 1 VM from a GPT disk
 
-1. Download the [Disk2vhd utility](https://technet.microsoft.com/en-us/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
+1. Download the [Disk2vhd utility](https://technet.microsoft.com/library/ee656415.aspx), extract the .zip file and copy **disk2vhd.exe** to a flash drive or other location that is accessible from the computer you wish to convert.
 
     >You might experience timeouts if you attempt to run Disk2vhd from a network share, or specify a network share for the destination. To avoid timeouts, use local, portable media such as a USB drive.
 
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 1be1e7f1ff..7ae037d1cd 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,5 +1,5 @@
 ---
-title: Windows 10 Pro in S mode
+title: Switch to Windows 10 Pro/Enterprise from S mode
 description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
 keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
 ms.mktglfcycl: deploy
@@ -7,59 +7,55 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 04/30/2018
-author: Mikeblodge
+ms.date: 12/03/2018
+author: jaimeo
 ---
 
-# Windows 10 Pro/Enterprise in S mode
+# Switch to Windows 10 Pro/Enterprise from S mode
 
-S mode is an enhanced security mode of Windows 10. Windows 10 Pro and Enterprise in S mode powers affordable, cloud-ready devices that are simple, secure, and efficient. Users can get started quickly, thanks to self-service deployment and a familiar Windows experience. Low-price S mode devices offer tailored solutions for kiosks, digital signs, and task work. If your device is running Windows 10, version 1709, or Windows 10, version 1803, you can switch from Windows 10 in S mode to Windows 10 Pro.
-
-## Benefits of Windows 10 Pro in S mode:
-
-- **Microsoft-verified security** - It reduces risk of malware and exploitations because only Microsoft-verified apps can be installed including Windows Defender Antivirus.
-- **Performance that lasts** - Provides all-day battery life to keep workers on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
-- **Streamlined for speed** - Offers faster log-in times with Windows Hello. Plus, workers get all the exclusive Windows innovations including Cortana and Windows Ink. 
-
-|  |Home  |S mode  |Pro/Pro Education  |Enterprise/Education |
-|---------|:---:|:---:|:---:|:---:|
-|Start Menu/Hello/Cortana/
      Windows Ink/Microsoft Edge | X | X | X | X |
-|Store apps (including Windows 
      desktop bridge apps) | X | X | X | X |
-|Windows Update | X | X | X | X |
-|Device Encryption | X | X | X | X |
-|BitLocker | | X | X | X |
-|Windows Update for Business |  | X | X | X |
-|Microsoft Store for Education | | X | X | X |
-|Mobile Device Management
       and Azure AD join | | X | X | X |
-|Group Policy management and 
      Active Directory Domain Services | | | X | X |
-|Desktop (Windows 32) Apps | X | | X | X |
-|Change App Defaults
      Search/Browser/Photos/etc. | X | | X | X |
-|Credential Guard | | | | X |
-|Device Guard | | | | X |
-
-## Keep Line of Business apps functioning with Desktop Bridge
-Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels. 
-
-[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
-
-> [!IMPORTANT]
-> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-
-### Windows 10 in S mode is safe, secure, and fast.
 We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
 
-## How to switch
-If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time.
+> [!IMPORTANT]
+> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recovery (BMR)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
+
+## Switch one device through the Microsoft Store
+Use the following information to switch to Windows 10 Pro through the Microsoft Store.
+
+Note these differences affecting switching modes in various releases of Windows 10:
+
+- In Windows 10, version 1709, you can switch devices one at a time from Windows 10 Pro in S mode to Windows 10 Pro by using the Microsoft Store. No other switches are possible.
+- In Windows 10, version 1803, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store.
+-  Windows 10, version 1809, you can switch devices running any S mode edition to the equivalent non-S mode edition one at a time by using the Microsoft Store or you can switch multiple devices in bulk by using Intune. You can also block users from switching devices themselves.
+
 
 1. Sign into the Microsoft Store using your Microsoft account. 
-2. Search for "S mode"
-3. In the offer, click **Buy**, **Get**, OR **Learn more.**
+2. Search for "S mode".
+3. In the offer, select **Buy**, **Get**, or **Learn more.**
+
 You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
 
+## Switch one or more devices by using Microsoft Intune
+
+Starting with Windows 10, version 1809, if you need to switch multiple devices in your environment from Windows 10 Pro in S mode to Windows 10 Pro, you can use Microsoft Intune or any other supported mobile device management software. You can configure devices to switch out of S mode during OOBE or post-OOBE - this gives you flexibility to manage Windows 10 in S mode devices at any point during the device lifecycle.
+
+1.	Start Microsoft Intune.
+2.	Navigate to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch**.
+3.	Follow the instructions to complete the switch.
+
+
+## Block users from switching
+
+You can control which devices or users can use the Microsoft Store to switch out of S mode in Windows 10.
+To set this, go to **Device configuration > Profiles > Windows 10 and later > Edition upgrade and mode switch in Microsoft Intune**, and then choose **Keep in S mode**.
+
+## S mode management with CSPs
+
+In addition to using Microsoft Intune or another modern device management tool to manage S mode, you can also use the [WindowsLicensing](https://docs.microsoft.com/windows/client-management/mdm/windowslicensing-csp) configuration service provider (CSP). In Windows 10, version 1809, we added S mode functionality that lets you switch devices, block devices from switching, and check the status (whether a device is in S mode).
+
 
 ## Related topics
 
-[FAQs](https://support.microsoft.com/en-us/help/4020089/windows-10-in-s-mode-faq)
      
+[FAQs](https://support.microsoft.com/help/4020089/windows-10-in-s-mode-faq)
      
 [Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
      
 [Windows 10 Pro Education](https://docs.microsoft.com/education/windows/test-windows10s-for-edu)
      
-[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/en-us/intune/what-is-intune)
+[Introduction to Microsoft Intune in the Azure portal](https://docs.microsoft.com/intune/what-is-intune)
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index ac183ef6d1..dd630b65e0 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -1,12 +1,15 @@
 # [Windows Autopilot](windows-autopilot.md)
 ## [Requirements](windows-autopilot-requirements.md)
 ### [Configuration requirements](windows-autopilot-requirements-configuration.md)
+#### [Intune Connector (preview)](intune-connector.md)
 ### [Network requirements](windows-autopilot-requirements-network.md)
 ### [Licensing requirements](windows-autopilot-requirements-licensing.md)
 ## [Scenarios and Capabilities](windows-autopilot-scenarios.md)
+### [Support for existing devices](existing-devices.md)
 ### [User-driven mode](user-driven.md)
+#### [Azure Active Directory joined](user-driven-aad.md)
+#### [Hybrid Azure Active Directory joined](user-driven-hybrid.md)
 ### [Self-deploying mode](self-deploying.md)
-### [Enrollment status page](enrollment-status.md)
 ### [Windows Autopilot Reset](windows-autopilot-reset.md)
 #### [Remote reset](windows-autopilot-reset-remote.md)
 #### [Local reset](windows-autopilot-reset-local.md)
@@ -14,9 +17,12 @@
 ### [Configuring](configure-autopilot.md)
 #### [Adding devices](add-devices.md)
 #### [Creating profiles](profiles.md)
+#### [Enrollment status page](enrollment-status.md)
 ### [Administering Autopilot via Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
 ### [Administering Autopilot via Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
 ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
 ## Getting started
 ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
 ## [Troubleshooting](troubleshooting.md)
+## [FAQ](autopilot-faq.md)
+## [Support](autopilot-support.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index d494ef7054..a10eb72607 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -7,9 +7,9 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
-author: coreyp-at-msft
-ms.author: coreyp
-ms.date: 06/01/18
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 12/12/2018
 ---
 
 # Adding devices to Windows Autopilot
@@ -20,6 +20,20 @@ ms.date: 06/01/18
 
 Before deploying a device using Windows Autopilot, the device must be registered with the Windows Autopilot deployment service. Ideally, this would be performed by the OEM, reseller, or distributor from which the devices were purchased, but this can also be done by the organization by collecting the hardware identity and uploading it manually.
 
+## Manual registration
+
+To perform manual registration of a device, you must caputure its hardware ID (also known as a hardware hash) and upload this to the Windows Autopilot deployment service. See the topics below for detailed information on how to collect and upload hardware IDs.
+
+>[!IMPORTANT]
+>Do not connect devices to the Internet prior to capturing the hardware ID and creating an Autopilot device profile. This includes collecting the hardware ID, uploading the .CSV into MSfB or Intune, assigning the profile, and confirming the profile assignment. Connecting the device to the Internet before this process is complete will result in the device downloading a blank profile that is stored on the device until it is explicity removed. In Windows 10 version 1809, you can clear the cached profile by restarting OOBE. In previous versions, the only way to clear the stored profile is to re-install the OS, reimage the PC, or run **sysprep /generalize /oobe**. 
      
+>After Intune reports the profile ready to go, only then should the device be connected to the Internet.
+
+Also note that if OOBE is restarted too many times it can enter a recovery mode and fail to run the Autopilot configuration. You can identify this scenario if OOBE displays multiple configuration options on the same page, including language, region, and keyboard layout. The normal OOBE displays each of these on a separate page. The following value key tracks the count of OOBE retries:
+
+**HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\UserOOBE** 
+
+To ensure OOBE has not been restarted too many times, you can change this value to 1.
+
 ## Device identification
 
 To define a device to the Windows Autopilot deployment service, a unique hardware ID for the device needs to be captured and uploaded to the service. While this step is ideally done by the hardware vendor (OEM, reseller, or distributor), automatically associating the device with an organization, it is also possible to do this through a harvesting process that collects the device from within a running Windows 10 version 1703 or later installation.
@@ -32,28 +46,26 @@ Note that the hardware hash also contains details about when it was generated, s
 
 The hardware ID, or hardware hash, for an existing device is available through Windows Management Instrumentation (WMI), as long as that device is running Windows 10 version 1703 or later. To help gather this information, as well as the serial number of the device (useful to see at a glance the machine to which it belongs), a PowerShell script called [Get-WindowsAutoPilotInfo.ps1 has been published to the PowerShell Gallery website](https://www.powershellgallery.com/packages/Get-WindowsAutoPilotInfo).
 
-To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, these commands can be used:
+To use this script, you can download it from the PowerShell Gallery and run it on each computer, or you can install it directly from the PowerShell Gallery. To install it directly and capture the hardware hash from the local computer, use the following commands from an elevated Windows PowerShell prompt:
 
-*md c:\\HWID*
+```powershell
+md c:\\HWID
+Set-Location c:\\HWID
+Set-ExecutionPolicy Unrestricted
+Install-Script -Name Get-WindowsAutoPilotInfo
+Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv
+```
 
-*Set-Location c:\\HWID*
-
-*Set-ExecutionPolicy Unrestricted*
-
-*Install-Script -Name Get-WindowsAutoPilotInfo*
-
-*Get-WindowsAutoPilotInfo.ps1 -OutputFile AutoPilotHWID.csv*
-
-You must run this PowerShell script with administrator privileges (elevated). It can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information.
+The commands can also be run remotely, as long as WMI permissions are in place and WMI is accessible through the Windows Firewall on that remote computer. See the Get-WindowsAutoPilotInfo script’s help (using “Get-Help Get-WindowsAutoPilotInfo.ps1”) for more information about running the script.
 
 >[!NOTE]
->With Windows 10 version 1803 and above, devices will download an Autopilot profile as soon as they connect to the internet. For devices that are not yet registered with the Autopilot deployment service, a profile will be downloaded that indicates the device should not be deployed using Autopilot. If the device connects to the internet as part of the collection process, you will need to reset the PC, reimage the PC, or re-generalize the OS (using sysprep /generalize /oobe).
+>If you will connect to the device remotely to collect the hardware ID, see the information at the top of this page about device connectivity to the Internet. 
 
 ## Collecting the hardware ID from existing devices using System Center Configuration Manager
 
-Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/en-us/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.
+Starting with System Center Configuration Manager current branch version 1802, the hardware hashes for existing Windows 10 version 1703 and higher devices are automatically collected by Configuration Manager. See the [What’s new in version 1802](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1802#report-on-windows-autopilot-device-information) documentation for more details.
 
-## Uploading hardware IDs
+## Registering devices
 
 Once the hardware IDs have been captured from existing devices, they can be uploaded through a variety of means. See the detailed documentation for each available mechanism:
 
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
new file mode 100644
index 0000000000..0eefe9fc9f
--- /dev/null
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -0,0 +1,158 @@
+---
+title: Windows Autopilot support
+description: Support information for Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 11/05/2018
+---
+
+# Windows Autopilot FAQ
+
+**Applies to: Windows 10**
+
+This topic provides OEMs, partners, administrators, and end-users with answers to some frequently asked questions about deploying Windows 10 with Windows Autopilot. 
+
+A [glossary](#glossary) of abbreviations used in this topic is provided at the end.
+
+
+## Microsoft Partner Center
+
+| Question | Answer |
+| --- | --- |
+| In the Partner Center, does the Tenant ID need to be provided with every device file upload (to then allow the business customer to access their devices in MSfB)?     | No. Providing the Tenant ID is a one-time entry in the Partner Center that can be re-used with future device uploads. |
+| How does the customer or tenant know that their devices are ready to be claimed in MSfB?    |  After the device file upload is completed in the Partner Center, the tenant can see the devices available for Windows Autopilot setup in MSfB. The OEM would need to advise the tenant to access MSfB. Auto-notification from MSfB to the tenant is being developed.  |
+|  Are there any restrictions if a business customer has registered devices in MSfB and later wants those devices to be managed by a CSP via the Partner Center? | The devices will need to be deleted in MSfB by the business customer before the CSP can upload and manage them in the Partner Center. | 
+| Does Windows Autopilot support removing the option to enable a local administrator account?    |  Windows Autopilot doesn’t support removing the local admin account. However, it does support restricting the user performing AAD domain join in OOBE to a standard account (versus admin account by default).|
+| How can I test the Windows Autopilot CSV file in the Partner Center?    |  Only CSP Partners have access to the Partner Center portal. If you are a CSP, you can create a Sales agent user account which has access to “Devices” for testing the file. This can be done today in the Partner Center. 

      Go [here](https://msdn.microsoft.com/partner-center/createuseraccounts-and-set-permissions) for more information. |
+|  Must I become a Cloud Solution Provider (CSP) to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API.  All others who choose to use MPC to register devices must become CSPs in order to access MPC.  |
+| Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot?   |  For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority an access: 

      1. Direct CSP: Gets direct authorization from the customer to register devices. 

      2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer.  Indirect CSP Providers register devices through Microsoft Partner Center. 

      3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices.  At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer.  However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. |
+
+## Manufacturing
+
+| Question | Answer |
+| --- | --- |
+| What changes need to be made in the factory OS image for customer configuration settings?     |No changes are required on the factory floor to enable Windows Autopilot deployment.  |
+| What version of the OA3 tool meets Windows Autopilot deployment requirements?     | Windows Autopilot can work with any version of the OA3 tool. We recommend using Windows 10, version 1703 and above to generate the 4K Hardware Hash.    |
+|  At the time of placing an order, do customers need to be state whether they want it with or without Windows Autopilot options?   | Yes, if they want Windows Autopilot, they will want Windows 10, version 1703 or later versions. Also, they will want to receive the CSV file or have the file upload (i.e., registration) completed on their behalf.    |
+|  Does the OEM need to manage or collect any custom imaging files from customers and perform any image uploads to Microsoft?   | No change, OEMs just send the CBRs as usual to Microsoft. No images are sent to Microsoft to enable Windows Autopilot.  Windows Autopilot only customizes OOBE and allows policy configurations (disables admin account, for example).  |
+|  Are there any customer impacts to upgrading from Windows 8 to Windows 10?    | The devices must have Windows 10, version 1703 or later to enroll in Windows Autopilot deployment, otherwise no impacts.    |
+| Will there be any change to the existing CBR with 4k Hardware Hash?    | No.  |
+| What new information needs to be sent from the OEM to Microsoft?    | Nothing, unless the OEM opts to register the device on the customer’s behalf, in which case they would upload the device ID via a CSV file into Microsoft Partner Center, or use the OEM Direct API.  |
+| Is there a contract or amendment for an OEM to participate in Windows Autopilot Deployment?    | No.  |
+
+## CSV schema
+
+| Question | Answer |
+| --- | --- |
+|  Can a comma be used in the CSV file? | No.   |
+| What error messages can a user expect to see in the Partner Center or MSfB when uploading a file?    | See the “In Microsoft Store for Business” section of this guide.  |
+| Is there a limit to the number of devices that can be listed in the CSV file?    | Yes, the CSV file can only contain 1,000 devices to apply to a single profile. If more than 1,000 devices need to be applied to a profile, the devices need to be uploaded through multiple CSV files.    |
+| Does Microsoft have any recommendations on how an OEM should provide the CSV file to their customers?    |  Microsoft recommends encrypting the CSV file when sending to the business customer to self-register their Windows Autopilot devices (either through MPC, MSfB, or Intune).   |
+
+
+## Hardware hash
+
+| Question | Answer |
+| --- | --- |
+| Must every Hardware Hash submitted by the OEM contain the SMBIOS UUID (universally unique identifier), MAC (media access control) address and unique disk serial number (if using Windows 10, version 1703 and above OEM Activation 3.0 tool)?    | Yes. Since Windows Autopilot is based on the ability to uniquely identify devices applying for cloud configuration, it is critical to submit Hardware Hashes which meet the outlined requirement.   |
+| What is the reason for needing the SMBIOS UUID, MAC Address and Disk Serial Number in the Hardware Hash details?    | For creating the Hardware Hash, these are the fields that are needed to identify a device, as parts of the device are added/removed. Since we don’t have a unique identifier for Windows devices, this is the best logic to identify a device.    |
+| What is difference between OA3 Hardware Hash, 4K Hardware Hash, and Windows Autopilot Hardware Hash?    | None.  They’re different names for the same thing.  The Windows 10, 1703 version of the OA3 tool output is called the OA3 Hash, which is 4K in size, which is usable for the Windows Autopilot deployment scenario. Note: When using a non-1703 version OA3Tool, you get a different sized Hash, which may not be used for Windows Autopilot deployment.  |
+|  What is the thought around parts replacement and/or repair for the NIC (network interface controller) and/or Disk? Will the Hardware Hash become invalid?   |  Yes.  If you replace parts, you need to gather the new Hardware Hash, though it depends on what is replaced, and the characteristics of the parts. For example, if you replace the TPM or motherboard, it’s a new device – you MUST have new Hardware Hash. If you replace one network card, it’s probably not a new device, and the device will function with the old Hardware Hash.  However, as a best practice, you should assume the old Hardware Hash is invalid and get a new Hardware Hash after any hardware changes – this is Microsoft’s strong recommendation any time you replace parts. |
+
+## Motherboard replacement
+
+| Question | Answer |
+| --- | --- |
+| How does Autopilot handle motherboard replacement scenarios?”  |  Motherboard replacement is out for scope for Autopilot. Any device that is repaired or serviced in a way that alters the ability to identify the device for Windows Autopilot must go through the normal OOBE process, and manually select the right settings or apply a custom image - as is the case today.  

      To reuse the same device for Windows Autopilot after a motherboard replacement, the device would need to be de-registered from Autopilot, the motherboard replaced, a new 4K HH harvested, and then re-registered using the new 4K HH (or device ID). 

      **Note**:  An OEM will not be able to use the OEM Direct API to re-register the device, since the OEM Direct API only accepts a tuple or PKID.  In this case, the OEM would either have to send the new 4K HH info via a CSV file to customer, and let customer reregister the device via MSfB or Intune.|
+
+## SMBIOS
+
+| Question | Answer |
+| --- | --- |
+| Any specific requirement to SMBIOS UUID?    | It must be unique as specified in the Windows 10 hardware requirements.    |
+| What is the requirement on the SMBIOS table to meet the Windows Autopilot Hardware Hash need?    | It must meet all the Windows 10 hardware requirements.  Additional details may be found [here](https://msdn.microsoft.com/library/jj128256(v=vs.85).aspx).    |
+| If the SMBIOS supports UUID and Serial Number, is it enough for the OA3 tool to generate the Hardware Hash?    | No.  At a minimum, the following SMBIOS fields need to be populated with unique values: ProductKeyID SmbiosSystemManufacturer SmbiosSystemProductName SmbiosSystemSerialNumber SmbiosSkuNumber SmbiosSystemFamily MacAddress SmbiosUuid DiskSerialNumber TPM EkPub |
+
+## Technical interface
+
+| Question | Answer |
+| --- | --- |
+|  What is the interface to get the MAC Address and Disk Serial Number? How does the OA tool get MAC and Disk Serial #?   | Disk serial number is found from IOCTL_STORAGE_QUERY_PROPERTY with  StorageDeviceProperty/PropertyStandardQuery.   Network MAC address is  IOCTL_NDIS_QUERY_GLOBAL_STATS from OID_802_3_PERMANENT_ADDRESS.  However the exact mechanisms/”interface” for doing this operation varies depending on the exact scenario being discussed.  |
+| Follow up clarification: If we have 2-3 MACs on the system, how does OA Tool choose which MAC Address and Disk Serial Number on the system since there are multiple instances of each? If a platform has LAN And WLAN, which MAC is chosen?     |  In short, all available values are used.  In detail, there may be extra specific usage rules. The System disk serial number is more important than any other disks available. Network interfaces that are removable should not be used if detected as they are removable. LAN vs WLAN should not matter, both will be used.  |
+
+## The end user experience
+
+| Question | Answer |
+| --- | --- |
+| How do I know that I received Autopilot?    | You can tell that you received Windows Autopilot (as in the device received a configuration but has not yet applied it) when you skip the selection page (as seen below), and are immediately taken to a generic or customized sign-in page.    |
+| Windows Autopilot didn’t work, what do I do now?    | Questions and actions to assist in troubleshooting:  Did a screen not get skipped?   Did a user end up as an admin when configured not to? Remember that AAD Admins will be local admins regardless of whether Windows Autopilot is configured to disable local admin  Collection information – run licensingdiag.exe and send the .cab (Cabinet file) file that is generated to AutopilotHelp@microsoft.com. If possible, collect an ETL from WPR. Often in these cases, users are not signing into the right AAD tenant, or are creating local user accounts.  For a complete list of support options, refer to [Windows Autopilot support](autopilot-support.md). |
+|  If an Administrator makes changes to an existing profile, will the changes take effect on devices that have that profile assigned to them that have already been deployed?   | No. Windows Autopilot profiles are not resident on the device. They are downloaded during OOBE, the settings defined at the time are applied. Then, the profile is discarded on the device. If the device is re-imaged or reset, the new profile settings will take effect the next time the device goes through OOBE.    |
+| What is the experience if a device isn’t registered or if an IT Admin doesn’t configure Windows Autopilot prior to an end user attempting to self-deploy?    | If the device isn’t registered, it will not receive the Windows Autopilot experience and the end user will go through normal OOBE. The Windows Autopilot configurations will NOT be applied until the user runs through OOBE again, after registration. If a device is started before an MDM profile is created, the device will go through standard OOBE experience.  The IT Admin would then have to manually enrol that device into the MDM, after which—the next time that device is “reset”—it will go through the Windows Autopilot OOBE experience.  |
+| What may be a reason why I did not receive a customized sign-in screen during Autopilot?    |  Tenant branding must be configured in portal.azure.com to receive a customized sign-in experience.   |
+| What happens if a device is registered with Azure AD but does not have an Windows Autopilot profile assigned?    |  The regular AAD OOBE will occur since no Windows Autopilot profile was assigned to the device.   |
+| How can I collect logs on Autopilot?  | The best way to collect logs on Windows Autopilot performance is to collect a Windows Performance Recorder (WPR) trace during OOBE. The XML file (WPRP extension) for this trace may be provided upon request.  |
+
+
+## MDM
+
+| Question | Answer |
+| --- | --- |
+| Must we use Intune for our MDM?  |  No.  No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune.  You’ll get the best experience from Intune. |
+| Can Intune support Win32 app preinstalls?  | Yes.  Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers.  |
+| What is co-management?  | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile.  If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile.  When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
+| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot  |  No.  Co-management (described above) is optional. |
+
+
+## Features
+
+| Question | Answer |
+| --- | --- |
+| Self-deploying mode  | A new version of Windows Autopilot where the user only turns on the device, and nothing else.  It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices).  |
+| Hybrid Azure Active Directory join  |  Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). |
+| Windows Autopilot reset  | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment.  Useful for when transferring a device from one user to another.  |
+| Personalization  | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included |
+| [Autopilot for existing devices](existing-devices.md)  |  Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. |
+
+
+
+## General
+
+| Question | Answer |
+| --- | --- |
+| If I wipe the machine and restart, will I still receive Windows Autopilot?    |  Yes, if the device is still registered for Windows Autopilot and is running Windows 10, version 1703 7B and above releases, it will receive the Windows Autopilot experience.   |
+| Can I harvest the device fingerprint on existing machines?    | Yes, if the device is running Windows 10, version 1703 and above, you can harvest device fingerprints for registration. There are no plans to backport the functionality to previous releases and no way to harvest them on pre-Windows 10 Windows 10, version 1703 devices that have not been updated to Windows 10, version 1703.     |
+| What is Windows 10, version 1703 7B and why does it matter?    |  Windows 10, version 1703 7B is a Windows 10, version 1703 image bundled with cumulative updates. To receive Autopilot, clients **must** run Windows 10, version 1703 7B or later. These cumulative updates contain a critical fix for Autopilot. Consider the following:

      Windows Autopilot will not apply its profiles to the machine unless AAD credentials match the expected AAD tenant. For the Windows 10, version 1703 release, it was assumed that would be determined by the domain name, so the domain name used to register (for example contoso.com) should match the domain name used to sign in (for example user@contoso.com). But what happens if your tenant has multiple domains (for example us.contoso.com, or fr.contoso.com)? Since these domain names do not match, the device will not be configured for Autopilot. However, both domains are part of the same AAD tenant, and as such it was determined the matching scheme was not useful. This was improved upon by making use of the tenant ID. By using the tenant ID, we can determine that if the user signs into a domain with a tenant matching the one they registered with, we can safely consider this to be a match. The fix for this problem already exists in Windows 10, version 1709 and was backported into the Windows 10, version 1703 7B release.  

      **Key Take-Aways**:  When using pre-Windows 10, version 1703 7B clients the user’s domain **must** match the domain they registered with. This functionality is found in Windows 10 version 1709 clients using build >= 16215, and Windows 10, version 1703 clients >= 7B.   |
+| What is the impact of not updating to 7B?    |  See the detailed scenario described directly above.  |
+|  Is Windows Autopilot supported on other SKUs, e.g. Surface Hub, HoloLens, Windows Mobile.   | No, Windows Autopilot isn’t supported on other SKUs.    |
+| Does Windows Autopilot work after MBR or image re-installation?    |  Yes. |
+| Can machines that have reimaged a few times go through Autopilot? What does the error message "This user is not authorized to enroll" mean? Error code 801c0003.    | There are limits to the number of devices a particular AAD user can enroll in AAD, as well as the number of devices that are supported per user in Intune.  (These are somewhat configurable but not “infinite.”)  You’ll run into this frequently if you reuse the devices, or even if you roll back to previous virtual machine snapshots.     |
+|  What happens if a device is registered to a malicious agent?   | By design, Windows Autopilot does not apply a profile until the user signs in with the matching tenant for the configured profile via the AAD sign-in process. What occurs is illustrated below.  If badguys.com registers a device owned by contoso.com, at worst, the user would be directed to sign into badguys.com. When the user enters their email/password, the sign-in information is redirected through AAD to the proper AAD authentication and the user is prompted to then sign into contoso.com. Since contoso.com does not match badguys.com as the tenant, the Windows Autopilot profile will not be applied and the regular AAD OOBE will occur.    |
+|  Where is the Windows Autopilot data stored?    |  Windows Autopilot data is stored in the United States (US), not in a sovereign cloud, even when the AAD tenant is registered in a sovereign cloud. This is applicable to all Windows Autopilot data, regardless of the portal leveraged to deploy Autopilot.   |
+|  Why is Windows Autopilot data stored in the US and not in a sovereign cloud?   |  It is not customer data that we store, but business data which enables Microsoft to provide a service, therefore it is okay for the data to reside in the US. Customers can stop subscribing to the service any time, and, in that event, the business data is removed by Microsoft.   |
+| How many ways are there to register a device for Windows Autopilot  | There are six ways to register a device, depending on who is doing the registering: 

      1.	OEM Direct API (only available to TVOs) 
      2. MPC via the MPC API (must be a CSP) 
      3. MPC via manual upload of CSV file in the UI (must be a CSP) 
      4. MSfB via CSV file upload 
      5. Intune via CSV file upload 
      6.	Microsoft 365 Business portal via CSV file upload |
+|  How many ways are there to create an Windows Autopilot profile? |  There are four ways to create & assign an Windows Autopilot profile: 

      1.	Through MPC (must be a CSP) 
      2.	Through MSfB 
      3.	Through Intune (or another MDM) 
      4.	Microsoft 365 Business portal 

      Microsoft recommends creation and assignment of profiles through Intune.|
+|  What are some common causes of registration failures? |  
      1.	Bad or missing Hardware hash entries can lead to faulty registration attempts 
      2.	Hidden special characters in CSV files.  

      To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.|
+
+## Glossary
+
+| Term | Meaning |
+| --- | --- |
+| CSV  | Comma Separated Values (File type similar to Excel spreadsheet)  |
+| MPC  | Microsoft Partner Center   |
+| MDM  | Mobile Device Management   |
+| OEM  | Original Equipment Manufacturer   |
+| CSP  |  Cloud Solution Provider  |
+| MSfB  | Microsoft Store for Business   |
+| AAD  | Azure Active Directory   |
+| 4K HH  |  4K Hardware Hash |
+| CBR  | Computer Build Report  |
+| EC  |  Enterprise Commerce  |
+| DDS  | Device Directory Service    |
+| OOBE  | Out of the Box Experience   |
+| UUID  | Universally Unique Identifier   |
diff --git a/windows/deployment/windows-autopilot/autopilot-support.md b/windows/deployment/windows-autopilot/autopilot-support.md
new file mode 100644
index 0000000000..65932a5cf6
--- /dev/null
+++ b/windows/deployment/windows-autopilot/autopilot-support.md
@@ -0,0 +1,43 @@
+---
+title: Windows Autopilot support
+description: Support information for Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 10/31/2018
+---
+
+# Windows Autopilot support information
+
+**Applies to: Windows 10**
+
+The following table displays support information for the Windows Autopilot program.  
+
+Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md).
+
+| Audience | Support contact |
+| --- | --- |
+OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
+| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority: 
      Low – 120 hours 
      Normal – 72 hours 
      High – 24 hours 
      Immediate – 4 hours |
+| OEM with a PFE | Reach out to your PFE for support.  |
+| Partners with a Partner Technology Strategist (PTS) |  If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). |
+| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues.  |
+| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative.  |
+| End-user | Contact your IT administrator.  |
+| Microsoft Partner Center (MPC) users |  Use the [help resources](https://partner.microsoft.com/support) available in MPC. |
+| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB.  |
+| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).  |
+| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in:  https://support.microsoft.com/en-us.  |
+| Queries relating to MDA testing | Contact MDAHelp@microsoft.com.  |
+| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. |
+
+
+
+
+
+
diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md
index 320afb60dd..1913e60393 100644
--- a/windows/deployment/windows-autopilot/configure-autopilot.md
+++ b/windows/deployment/windows-autopilot/configure-autopilot.md
@@ -7,9 +7,9 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
-author: coreyp-at-msft
-ms.author: coreyp
-ms.date: 06/01/18
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 10/02/2018
 ---
 
 # Configure Autopilot deployment
@@ -26,7 +26,10 @@ When deploying new devices using Windows Autopilot, a common set of steps are re
 
 2.  [Assign a profile of settings to each device](profiles.md), specifying how the device should be deployed and what user experience should be presented.
 
-3.  Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download the profile settings which are used to customize the end user experience.
+3.  Boot the device. When the device is connected to a network with internet access, it will contact the Windows Autopilot deployment service to see if the device is registered, and if it is, it will download profile settings such as the [Enrollment Status page](enrollment-status.md), which are used to customize the end user experience.
 
 
 
+## Related topics
+
+[Windows Autopilot scenarios](windows-autopilot-scenarios.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index ca44b1c9f9..6a8c2d3e3d 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -7,9 +7,9 @@ ms.mktglfcycl: deploy
 ms.localizationpriority: medium
 ms.sitesec: library
 ms.pagetype: deploy
-author: coreyp-at-msft
+author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 07/13/18
+ms.date: 10/02/2018
 ---
 
 # Demonstrate Autopilot deployment on a VM
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index 2f7e82b15e..e5f113b83c 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -6,47 +6,63 @@ ms.prod: w10
 ms.technology: Windows
 ms.mktglfcycl: deploy
 ms.sitesec: library
-ms.pagetype:
+ms.pagetype: deploy
 ms.localizationpriority: medium
-author: coreyp-at-msft
-ms.author: coreyp
-ms.date: 06/01/2018
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 12/13/2018
 ---
 
 # Windows Autopilot Enrollment Status page
 
 The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process.  Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. 
  
- ![Enrollment Status Page](images/enrollment-status-page.png)
+ ![Enrollment status page](images/enrollment-status-page.png)
 
 ## Available settings
 
- The following settings can be configured:
+ The following settings can be configured to customize behavior of the enrollment status page:
 
- - Show app and profile installation progress.  When enabled, the Enrollment Status page is displayed.
- - Block device use until all apps and profiles are installed.  When enabled, the Enrollment Status page will be displayed until the device configuraton process is complete.  When not enabled, the user can dismiss the page at any time.
- - Allow users to reset device if installation errors occur.
- - Allow users to use device if installation errors occur.
- - Show error when installation takes longer than the specified number of minutes.
- - Show custom error message when an error occurs.
- - Allow users to collect logs about installation errors.
+
      Category -Overview of Windows Autopilot +Overview of Windows Autopilot
      +
      SettingYesNo +
      Show app and profile installation progressThe enrollment status page is displayed.The enrollment status page is not displayed. +
      Block device use until all apps and profiles are installedThe settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues. +The enrollment status page is displayed with no additional options to address installation failures. +
      Allow users to reset device if installation error occursA Reset device button is displayed if there is an installation failure.The Reset device button is not displayed if there is an installation failure. +
      Allow users to use device if installation error occursA Continue anyway button is displayed if there is an installation failure.The Continue anyway button is not displayed if there is an installation failure. +
      Show error when installation takes longer than specified number of minutesSpecify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered. +
      Show custom message when an error occursA text box is provided where you can specify a custom message to display in case of an installation error.The default message is displayed:
      Oh no! Something didn't do what it was supposed to. Please contact your IT department. +
      Allow users to collect logs about installation errorsIf there is an installation error, a Collect logs button is displayed.
      If the user clicks this button they are asked to choose a location to save the log file MDMDiagReport.cab      		The Collect logs button is not displayed if there is an installation error. +
      Block device use until these required apps are installed if they are assigned to the user/deviceChoose All or Selected.

      If Selected is chosen, a Select apps button is displayed that enables you to choose which apps must be installed prior to enabling device use. +
      -## Installation progresss tracked +See the following example: + + ![Enrollment status page settings](images/esp-settings.png) + +## Installation progress tracking The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process. The specific types of policies that are tracked include: - Certain types of app installations. - - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisemodernappmanagement-csp). - - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/enterprisedesktopappmanagement-csp). + - Enterprise modern apps (Appx/MSIX) installed by the [Enterprise Modern App Managment CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisemodernappmanagement-csp). + - Enterprise desktop apps (single-file MSIs) installed by the [Enterprise Desktop App Management CSP](https://docs.microsoft.com/windows/client-management/mdm/enterprisedesktopappmanagement-csp). - Certain device configuration policies. -Presently the following types of policies are not tracked: +The following types of policies and installations are not tracked: -- Intune Management Extentions PowerShell scripts. -- Office 365 ProPlus installations. -- System Center Configuration Manager apps, packages, and task sequences. +- Intune Management Extensions PowerShell scripts +- Office 365 ProPlus installations** +- System Center Configuration Manager apps, packages, and task sequences -## For more information +**The ability to track Office 365 ProPlus installations was added with Windows 10, version 1809.
      + +## More information + +For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).
      +For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).
      +For more information about blocking for app installation: +- [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/). +- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514). -For more information on configuring the Enrollment Status page, [see the Microsoft Intune documentation](https://docs.microsoft.com/en-us/intune/windows-enrollment-status). For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp). diff --git a/windows/deployment/windows-autopilot/existing-devices.md b/windows/deployment/windows-autopilot/existing-devices.md new file mode 100644 index 0000000000..72bca7e019 --- /dev/null +++ b/windows/deployment/windows-autopilot/existing-devices.md @@ -0,0 +1,304 @@ +--- +title: Windows Autopilot for existing devices +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/05/2018 +--- + +# Windows Autopilot for existing devices + +**Applies to: Windows 10** + +Modern desktop management with Windows Autopilot enables you to easily deploy the latest version of Windows 10 to your existing devices. The apps you need for work can be automatically installed. Your work profile is synchronized, so you can resume working right away. + +This topic describes how to convert Windows 7 domain-joined computers to Azure Active Directory-joined computers running Windows 10 by using Windows Autopilot. + +## Prerequisites + +- System Center Configuration Manager Current Branch (1806) OR System Center Configuration Manager Technical Preview (1808) +- The [Windows ADK](https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit) 1803 or later + - Note: Config Mgr 1806 or later is required to [support](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10#windows-10-adk) the Windows ADK 1809. +- Assigned Microsoft Intune Licenses +- Azure Active Directory Premium +- Windows 10 version 1809 or later imported into Config Mgr as an Operating System Image + +## Procedures + +### Configure the Enrollment Status Page (optional) + +If desired, you can set up an [enrollment status page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) for Autopilot using Intune. + +To enable and configure the enrollment and status page: + +1. Open [Intune in the Azure portal](https://aka.ms/intuneportal). +2. Access **Intune > Device enrollment > Windows enrollment** and [Set up an enrollment status page](https://docs.microsoft.com/intune/windows-enrollment-status). +3. Access **Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune** and [Configure automatic MDM enrollment](https://docs.microsoft.com/sccm/mdm/deploy-use/enroll-hybrid-windows#enable-windows-10-automatic-enrollment) and configure the MDM user scope for some or all users. + +See the following examples. + +![enrollment status page](images/esp-config.png)

      +![mdm](images/mdm-config.png) + +### Create the JSON file + +>[!TIP] +>To run the following commands on a computer running Windows Server 2012/2012 R2 or Windows 7/8.1, you must first download and install the [Windows Management Framework](https://www.microsoft.com/en-us/download/details.aspx?id=54616). + +1. On an Internet connected Windows PC or Server open an elevated Windows PowerShell command window +2. Enter the following lines to install the necessary modules + + #### Install required modules + + ``` + Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force + Install-Module AzureAD -Force + Install-Module WindowsAutopilotIntune -Force + ``` + +3. Enter the following lines and provide Intune administrative credentials + - In the following command, replace the example user principal name for Azure authentication (admin@M365x373186.onmicrosoft.com) with your user account. Be sure that the user account you specify has sufficient administrative rights. + + ``` + Connect-AutopilotIntune -user admin@M365x373186.onmicrosoft.com + ``` + The password for your account will be requested using a standard Azure AD form. Type your password and then click **Sign in**. +
      See the following example: + + ![Azure AD authentication](images/pwd.png) + + If this is the first time you’ve used the Intune Graph APIs, you’ll also be prompted to enable read and write permissions for Microsoft Intune PowerShell. To enable these permissions: + - Select **Consent on behalf or your organization** + - Click **Accept** + +4. Next, retrieve and display all the Autopilot profiles available in the specified Intune tenant in JSON format: + + #### Retrieve profiles in Autopilot for existing devices JSON format + + ``` + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON + ``` + + See the following sample output: + 
      +    PS C:\> Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
+    {
+        "CloudAssignedTenantId":  "1537de22-988c-4e93-b8a5-83890f34a69b",
+        "CloudAssignedForcedEnrollment":  1,
+        "Version":  2049,
+        "Comment_File":  "Profile Autopilot Profile",
+        "CloudAssignedAadServerData":  "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"ForcedEnrollment\":1,\"CloudAssignedTenantDomain\":\"M365x373186.onmicrosoft.com\"}}",
+        "CloudAssignedTenantDomain":  "M365x373186.onmicrosoft.com",
+        "CloudAssignedDomainJoinMethod":  0,
+        "CloudAssignedOobeConfig":  28,
+        "ZtdCorrelationId":  "7F9E6025-1E13-45F3-BF82-A3E8C5B59EAC"
+    }
      + + Each profile is encapsulated within braces **{ }**. In the previous example, a single profile is displayed. + + See the following table for a description of properties used in the JSON file. + + | Property | Description | + | --- | --- | + | Version (number, optional) | The version number that identifies the format of the JSON file. For Windows 10 1809, the version specified must be 2049. | + | CloudAssignedTenantId (guid, required) | The Azure Active Directory tenant ID that should be used. This is the GUID for the tenant, and can be found in properties of the tenant. The value should not include braces. | + | CloudAssignedTenantDomain (string, required) | The Azure Active Directory tenant name that should be used, e.g. tenant.onmicrosoft.com. | + | CloudAssignedOobeConfig (number, required) | This is a bitmap that shows which Autopilot settings were configured. Values include: SkipCortanaOptIn = 1, OobeUserNotLocalAdmin = 2, SkipExpressSettings = 4, SkipOemRegistration = 8, SkipEula = 16 | + | CloudAssignedDomainJoinMethod (number, required) | This property should be set to 0 and specifies that the device should join Azure AD. | + | CloudAssignedForcedEnrollment (number, required) | Specifies that the device should require AAD Join and MDM enrollment.
      0 = not required, 1 = required. | + | ZtdCorrelationId (guid, required) | A unique GUID (without braces) that will be provided to Intune as part of the registration process. ZtdCorrelationId will be included in enrollment message as “OfflineAutoPilotEnrollmentCorrelator”. This attribute will be present only if the enrollment is taking place on a device registered with Zero Touch Provisioning via offline registration.| + | CloudAssignedAadServerData (encoded JSON string, required) | An embedded JSON string used for branding. It requires AAD corp branding enabled.
      Example value: "CloudAssignedAadServerData": "{\"ZeroTouchConfig\":{\"CloudAssignedTenantUpn\":\"\",\"CloudAssignedTenantDomain\":\"tenant.onmicrosoft.com\"}}"| + | CloudAssignedDeviceName (string, optional) | The name automatically assigned to the computer. This follows the naming pattern convention that can be configured in Intune as part of the Autopilot profile, or can specify an explicit name to use. | + +5. The Autopilot profile must be saved as a JSON file in ASCII or ANSI format. Windows PowerShell defaults to Unicode format, so if you attempt to redirect output of the commands to a file, you must also specify the file format. For example, to save the file in ASCII format using Windows PowerShell, you can create a directory (ex: c:\Autopilot) and save the profile as shown below: + + ``` + Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON | Out-File c:\Autopilot\AutopilotConfigurationFile.json -Encoding ASCII + ``` + **IMPORTANT**: The file name must be named **AutopilotConfigurationFile.json** in addition to being encoded as ASCII/ANSI. + + If preferred, you can save the profile to a text file and edit in Notepad. In Notepad, when you choose **Save as** you must select Save as type: **All Files** and choose ANSI from the drop-down list next to **Encoding**. See the following example. + + ![Notepad JSON](images/notepad.png) + + After saving the file, move the file to a location suitable as an SCCM package source. + + >[!IMPORTANT] + >Multiple JSON profile files can be used, but each must be named **AutopilotConfigurationFile.json** in order for OOBE to follow the Autopilot experience. The file also must be encoded as ANSI.

      **Saving the file with Unicode or UTF-8 encoding or saving it with a different file name will cause Windows 10 OOBE to not follow the Autopilot experience**.
      + + +### Create a package containing the JSON file + +1. In Configuration Manager, navigate to **\Software Library\Overview\Application Management\Packages** +2. On the ribbon, click **Create Package** +3. In the **Create Package and Program Wizard** enter the following **Package** and **Program Type** details:
      + - Name: **Autopilot for existing devices config** + - Select the **This package contains source files** checkbox + - Source folder: Click **Browse** and specify a UNC path containing the AutopilotConfigurationFile.json file. + - Click **OK** and then click **Next**. + - Program Type: **Do not create a program** +4. Click **Next** twice and then click **Close**. + +**NOTE**: If you change user-driven Autopilot profile settings in Intune at a later date, you must also update the JSON file and redistribute the associated Config Mgr package. + +### Create a target collection + +>[!NOTE] +>You can also choose to reuse an existing collection + +1. Navigate to **\Assets and Compliance\Overview\Device Collections** +2. On the ribbon, click **Create** and then click **Create Device Collection** +3. In the **Create Device Collection Wizard** enter the following **General** details: + - Name: **Autopilot for existing devices collection** + - Comment: (optional) + - Limiting collection: Click **Browse** and select **All Systems** + + >[!NOTE] + >You can optionally choose to use an alternative collection for the limiting collection. The device to be upgraded must be running the ConfigMgr agent in the collection that you select. + +4. Click **Next**, then enter the following **Membership Rules** details: + - Click **Add Rule** and specify either a direct or query based collection rule to add the target test Windows 7 devices to the new collection. + - For example, if the hostname of the computer to be wiped and reloaded is PC-01 and you wish to use Name as the attribute, click **Add Rule > Direct Rule > (wizard opens) > Next** and then enter **PC-01** next to **Value**. Click **Next** and then choose **PC-01** under **Resources**. See the following examples. + + ![Named resource1](images/pc-01a.png) + ![Named resource2](images/pc-01b.png) + +5. Continue creating the device collection with the default settings: + - Use incremental updates for this collection: not selected + - Schedule a full update on this collection: default + - Click **Next** twice and then click **Close** + +### Create an Autopilot for existing devices Task Sequence + +>[!TIP] +>The next procedure requires a boot image for Windows 10 1803 or later. Review your available boot images in the Configuration Manager conole under **Software Library\Overview\Operating Systems\Boot images** and verify that the **OS Version** is 10.0.17134.1 (Windows 10 version 1803) or later. + +1. In the Configuration Manager console, navigate to **\Software Library\Overview\Operating Systems\Task Sequences** +2. On the Home ribbon, click **Create Task Sequence** +3. Select **Install an existing image package** and then click **Next** +4. In the Create Task Sequence Wizard enter the following details: + - Task sequence name: **Autopilot for existing devices** + - Boot Image: Click **Browse** and select a Windows 10 boot image (1803 or later) + - Click **Next**, and then on the Install Windows page click **Browse** and select a Windows 10 **Image package** and **Image Index**, version 1803 or later. + - Select the **Partition and format the target computer before installing the operating system** checkbox. + - Select or clear **Configure task sequence for use with Bitlocker** checkbox. This is optional. + - Product Key and Server licensing mode: Optionally enter a product key and server licencing mode. + - Randomly generate the local administrator password and disable the account on all support platforms (recommended): Optional. + - Enable the account and specify the local administrator password: Optional. + - Click **Next**, and then on the Configure Network page choose **Join a workgroup** and specify a name (ex: workgroup) next to **Workgroup**. + + >[!IMPORTANT] + >The Autopilot for existing devices task sequence will run the **Prepare Windows for capture** action which calls the System Preparation Tool (syeprep). This action will fail if the target machine is joined to a domain. + +5. Click **Next** and then click **Next** again to accept the default settings on the Install Configuration Manager page. +6. On the State Migration page, enter the following details: + - Clear the **Capture user settings and files** checkbox. + - Clear the **Capture network settings** checkbox. + - Clear the **Capture Microsoft Windows settings** checkbox. + - Click **Next**. + + >[!NOTE] + >The Autopilot for existing devices task sequence will result in an Azure Active Directory Domain (AAD) joined device. The User State Migration Toolkit (USMT) does not support AAD joined devices. + +7. On the Include Updates page, choose one of the three available options. This selection is optional. +8. On the Install applications page, add applications if desired. This is optional. +9. Click **Next**, confirm settings, click **Next** and then click **Close**. +10. Right click on the Autopilot for existing devices task sequence and click **Edit**. +11. In the Task Sequence Editor under the **Install Operating System** group, click the **Apply Windows Settings** action. +12. Click **Add** then click **New Group**. +13. Change the group **Name** from **New Group** to **Autopilot for existing devices config**. +14. Click **Add**, point to **General**, then click **Run Command Line**. +15. Verify that the **Run Command Line** step is nested under the **Autopilot for existing devices config** group. +16. Change the **Name** to **Apply Autopilot for existing devices config file** and paste the following into the **Command line** text box, and then click **Apply**: + ``` + cmd.exe /c xcopy AutopilotConfigurationFile.json %OSDTargetSystemDrive%\windows\provisioning\Autopilot\ /c + ``` + - **AutopilotConfigurationFile.json** must be the name of the JSON file present in the Autopilot for existing devices package created earlier. + +17. In the **Apply Autopilot for existing devices config file** step, select the **Package** checkbox and then click **Browse**. +18. Select the **Autopilot for existing devices config** package created earlier and click **OK**. An example is displayed at the end of this section. +19. Under the **Setup Operating System** group, click the **Setup Windows and Configuration Manager** task. +20. Click **Add** and then click **New Group**. +21. Change **Name** from **New Group** to **Prepare Device for Autopilot** +22. Verify that the **Prepare Device for Autopilot** group is the very last step in the task sequence. Use the **Move Down** button if necessary. +23. With the **Prepare device for Autopilot** group selected, click **Add**, point to **Images** and then click **Prepare ConfigMgr Client for Capture**. +24. Add a second step by clicking **Add**, pointing to **Images**, and clicking **Prepare Windows for Capture**. Use the following settings in this step: + - Automatically build mass storage driver list: **Not selected** + - Do not reset activation flag: **Not selected** + - Shutdown the computer after running this action: **Optional** + + ![Autopilot task sequence](images/ap-ts-1.png) + +25. Click **OK** to close the Task Sequence Editor. + +### Deploy Content to Distribution Points + +Next, ensure that all content required for the task sequence is deployed to distribution points. + +1. Right click on the **Autopilot for existing devices** task sequence and click **Distribute Content**. +2. Click **Next**, **Review the content to distribute** and then click **Next**. +3. On the Specify the content distribution page click **Add** to specify either a **Distribution Point** or **Distribution Point Group**. +4. On the a Add Distribution Points or Add Distribution Point Groups wizard specify content destinations that will allow the JSON file to be retrieved when the task sequence is run. +5. When you are finished specifying content distribution, click **Next** twice then click **Close**. + +### Deploy the OS with Autopilot Task Sequence + +1. Right click on the **Autopilot for existing devices** task sequence and then click **Deploy**. +2. In the Deploy Software Wizard enter the following **General** and **Deployment Settings** details: + - Task Sequence: **Autopilot for existing devices**. + - Collection: Click **Browse** and then select **Autopilot for existing devices collection** (or another collection you prefer). + - Click **Next** to specify **Deployment Settings**. + - Action: **Install**. + - Purpose: **Available**. You can optionally select **Required** instead of **Available**. This is not recommended during the test owing to the potential impact of inadvertent configurations. + - Make available to the following: **Only Configuration Manager Clients**. Note: Choose the option here that is relevant for the context of your test. If the target client does not have the Configuration Manager agent or Windows installed, you will need to select an option that includes PXE or Boot Media. + - Click **Next** to specify **Scheduling** details. + - Schedule when this deployment will become available: Optional + - Schedule when this deployment will expire: Optional + - Click **Next** to specify **User Experience** details. + - Show Task Sequence progress: Selected. + - Software Installation: Not selected. + - System restart (if required to complete the installation): Not selected. + - Commit changed at deadline or during a maintenance windows (requires restart): Optional. + - Allow task sequence to be run for client on the Internet: Optional + - Click **Next** to specify **Alerts** details. + - Create a deployment alert when the threshold is higher than the following: Optional. + - Click **Next** to specify **Distribution Points** details. + - Deployment options: **Download content locally when needed by the running task sequence**. + - When no local distribution point is available use a remote distribution point: Optional. + - Allow clients to use distribution points from the default site boundary group: Optional. + - Click **Next**, confirm settings, click **Next**, and then click **Close**. + +### Complete the client installation process + +1. Open the Software Center on the target Windows 7 client computer. You can do this by clicking Start and then typing **software** in the search box, or by typing the following at a Windows PowerShell or command prompt: + + ``` + C:\Windows\CCM\SCClient.exe + ``` + +2. In the software library, select **Autopilot for existing devices** and click **Install**. See the following example: + + ![Named resource2](images/sc.png) + ![Named resource2](images/sc1.png) + +The Task Sequence will download content, reboot, format the drives and install Windows 10. The device will then proceed to be prepared for Autopilot. Once the task sequence has completed the device will boot into OOBE and provide an Autopilot experience. + +![refresh-1](images/up-1.png) +![refresh-2](images/up-2.png) +![refresh-3](images/up-3.png) + +### Register the device for Windows Autopilot + +Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-deployment-profile). + +Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices). + +## Speeding up the deployment process + +To remove around 20 minutes from the deployment process, see Michael Niehaus's blog with instructions for [Speeding up Windows Autopilot for existing devices](https://blogs.technet.microsoft.com/mniehaus/2018/10/25/speeding-up-windows-autopilot-for-existing-devices/). diff --git a/windows/deployment/windows-autopilot/images/ap-ts-1.png b/windows/deployment/windows-autopilot/images/ap-ts-1.png new file mode 100644 index 0000000000..5f4c33fd51 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/ap-ts-1.png differ diff --git a/windows/deployment/windows-autopilot/images/ap-ts.png b/windows/deployment/windows-autopilot/images/ap-ts.png new file mode 100644 index 0000000000..7c343176d0 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/ap-ts.png differ diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png new file mode 100644 index 0000000000..2d8abb5785 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/connector-fail.png differ diff --git a/windows/deployment/windows-autopilot/images/esp-config.png b/windows/deployment/windows-autopilot/images/esp-config.png new file mode 100644 index 0000000000..eb9f94661f Binary files /dev/null and b/windows/deployment/windows-autopilot/images/esp-config.png differ diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png new file mode 100644 index 0000000000..df0fe655e9 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/esp-settings.png differ diff --git a/windows/deployment/windows-autopilot/images/mdm-config.png b/windows/deployment/windows-autopilot/images/mdm-config.png new file mode 100644 index 0000000000..0b2dd14a53 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/mdm-config.png differ diff --git a/windows/deployment/windows-autopilot/images/notepad.png b/windows/deployment/windows-autopilot/images/notepad.png new file mode 100644 index 0000000000..0f243f95d6 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/notepad.png differ diff --git a/windows/deployment/windows-autopilot/images/pc-01a.png b/windows/deployment/windows-autopilot/images/pc-01a.png new file mode 100644 index 0000000000..a3d0f4cdea Binary files /dev/null and b/windows/deployment/windows-autopilot/images/pc-01a.png differ diff --git a/windows/deployment/windows-autopilot/images/pc-01b.png b/windows/deployment/windows-autopilot/images/pc-01b.png new file mode 100644 index 0000000000..07eda6e4bb Binary files /dev/null and b/windows/deployment/windows-autopilot/images/pc-01b.png differ diff --git a/windows/deployment/windows-autopilot/images/pwd.png b/windows/deployment/windows-autopilot/images/pwd.png new file mode 100644 index 0000000000..c9b0e7837c Binary files /dev/null and b/windows/deployment/windows-autopilot/images/pwd.png differ diff --git a/windows/deployment/windows-autopilot/images/sc.png b/windows/deployment/windows-autopilot/images/sc.png new file mode 100644 index 0000000000..bb326e6406 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/sc.png differ diff --git a/windows/deployment/windows-autopilot/images/sc1.png b/windows/deployment/windows-autopilot/images/sc1.png new file mode 100644 index 0000000000..380887a45c Binary files /dev/null and b/windows/deployment/windows-autopilot/images/sc1.png differ diff --git a/windows/deployment/windows-autopilot/images/up-1.PNG b/windows/deployment/windows-autopilot/images/up-1.PNG new file mode 100644 index 0000000000..c1284c53d2 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/up-1.PNG differ diff --git a/windows/deployment/windows-autopilot/images/up-2.PNG b/windows/deployment/windows-autopilot/images/up-2.PNG new file mode 100644 index 0000000000..4891a3873a Binary files /dev/null and b/windows/deployment/windows-autopilot/images/up-2.PNG differ diff --git a/windows/deployment/windows-autopilot/images/up-3.PNG b/windows/deployment/windows-autopilot/images/up-3.PNG new file mode 100644 index 0000000000..8b1e356f92 Binary files /dev/null and b/windows/deployment/windows-autopilot/images/up-3.PNG differ diff --git a/windows/deployment/windows-autopilot/intune-connector.md b/windows/deployment/windows-autopilot/intune-connector.md new file mode 100644 index 0000000000..50ee521951 --- /dev/null +++ b/windows/deployment/windows-autopilot/intune-connector.md @@ -0,0 +1,52 @@ +--- +title: Intune Connector (preview) requirements +description: Intune Connector (preview) issue workaround +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/26/2018 +--- + + +# Intune Connector (preview) language requirements + +**Applies to: Windows 10** + +Microsoft has released a [preview for Intune connector for Active Directory](https://docs.microsoft.com/intune/windows-autopilot-hybrid) that enables user-driven [Hybrid Azure Active Directory join](user-driven-hybrid.md) for Windows Autopilot. + +In this preview version of the Intune Connector, you might receive an error message indicating a setup failure with the following error code and message: + +**0x80070658 - Error applying transforms. Verify that the specified transform paths are valid.** + +An [example](#example) of the error message is displayed at the bottom of this topic. + +This error can be resolved by ensuring that the member server where Intune Connector is running has one of the following language packs installed and configured to be the default keyboard layout: + +| | | | | | | | | | | | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| en-US | cs-CZ | da-DK | de-DE | el-GR | es-ES | fi-FI | fr-FR | hu-HU | it-IT | ja-JP | +| ko-KR | nb-NO | nl-NL | pl-PL | pt-BR | ro-RO | ru-RU | sv-SE | tr-TR | zh-CN | zh-TW | + +>[!NOTE] +>After installing the Intune Connector, you can restore the keyboard layout to its previous settings.
      +>This solution is a workaround and will be fully resolved in a future release of the Intune Connector. + +To change the default keyboard layout: + +1. Click **Settings > Time & language > Region and language** +2. Select one of the languages listed above and choose **Set as default**. + +If the language you need isn't listed, you can add additional languages by selecting **Add a language**. + +## Example + +The following is an example of the error message that can be displayed if one of the listed languages is not used during setup: + +![Connector error](images/connector-fail.png) + + diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md index 4868e24cd2..dd9f40aa1a 100644 --- a/windows/deployment/windows-autopilot/profiles.md +++ b/windows/deployment/windows-autopilot/profiles.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/18 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 12/13/2018 --- # Configure Autopilot profiles @@ -18,7 +18,29 @@ ms.date: 06/01/18 - Windows 10 -For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied to specify the exact behavior of that device when it is deployed. The following profile settings are available: +For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the exact behavior of that device when it is deployed. For detailed procedures on how to configure profile settings and register devices, see [Registering devices](add-devices.md#registering-devices). + +## Profile download + +When an Internet-connected Windows 10 device boots up, it will attempt to connect to the Autopilot service and download an Autopilot profile. Note: It is important that a profile exists at this stage so that a blank profile is not cached locally on the PC. To remove the currently cached local profile in Windows 10 version 1803 and earlier, it is necessary to re-generalize the OS using **sysprep /generalize /oobe**, reinstall the OS, or re-image the PC. In Windows 10 version 1809 and later, you can retrieve a new profile by rebooting the PC. + +When a profile is downloaded depends on the version of Windows 10 that is running on the PC. See the following table. + +| Windows 10 version | Profile download behavior | +| --- | --- | +| 1703 and 1709 | The profile is downloaded after the OOBE network connection page. This page is not displayed when using a wired connection. In this case, the profile is downloaded just prior to the EULA screen. | +| 1803 | The profile is downloaded as soon as possible. If wired, it is downloaded at the start of OOBE. If wireless, it is downloaded after the network connection page. | +| 1809 | The profile is downloaded as soon as possible (same as 1803), and again after each reboot. | + +If you need to reboot a computer during OOBE: +- Press Shift-F10 to open a command prompt. +- Enter **shutdown /r /t 0** to restart immediately, or **shutdown /s /t 0** to shutdown immediately. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options). + +## Profile settings + +The following profile settings are available: - **Skip Cortana, OneDrive and OEM registration setup pages**. All devices registered with Autopilot will automatically skip these pages during the out-of-box experience (OOBE) process. @@ -32,4 +54,8 @@ For each device that has been defined to the Windows Autopilot deployment servic - **Skip End User License Agreement (EULA)**. Starting in Windows 10 version 1709, organizations can decide to skip the EULA page presented during the OOBE process. This means that organizations accept the EULA terms on behalf of their users. -- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. +- **Disable Windows consumer features**. Starting in Windows 10 version 1803, organizations can disable Windows consumer features so that the device does not automatically install any additional Microsoft Store apps when the user first signs into the device. See the [MDM documentation](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) for more details. + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md deleted file mode 100644 index 0f85771ec9..0000000000 --- a/windows/deployment/windows-autopilot/rip-and-replace.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Rip and Replace -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 ---- - -# Rip and replace - -**Applies to: Windows 10** - -DO NOT PUBLISH. Just a placeholder for now, coming with 1809. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index deba1e8e5e..b4e8171fa3 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot Self-Deploying mode (Preview) @@ -19,7 +19,7 @@ ms.date: 06/01/2018 Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. >[!NOTE] ->In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. +>In order to display an organization-specific logo and organization name during the Autopilot process, Azure Active Directory Company Branding needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) @@ -36,7 +36,7 @@ Because self-deploying mode uses a device’s TPM 2.0 hardware to authenticate t >[!NOTE] >If you attempt a self-deploying mode deployment on a device that does not have support TPM 2.0 or on a virtual machine, the process will fail when verifying the device with an 0x800705B4 timeout error. -Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/en-us/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. +Windows Autopilot self-deploying mode enables you to effortlessly deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. Windows Autopilot self-deploying mode is available on Windows 10 build 17672 or higher. When configuring an Autopilot profile in Microsoft Intune, you’ll see a new drop-down menu that asks for the deployment mode. In that menu, select Self-deploying (preview) and apply that profile to the devices you’d like to validate. diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 2ea0af92da..8d39c2b0a0 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Troubleshooting Windows Autopilot @@ -87,6 +87,6 @@ Error code 801C0003 will typically be reported on an error page titled "Somethin ### Troubleshooting Intune enrollment issues -See [this knowledge base article](https://support.microsoft.com/en-us/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. +See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues. Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user. Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong." This error means that the MDM enrollment failed. diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md index 91d9bbf472..b63517060d 100644 --- a/windows/deployment/windows-autopilot/user-driven-aad.md +++ b/windows/deployment/windows-autopilot/user-driven-aad.md @@ -1,19 +1,35 @@ ---- -title: User-driven mode for AAD -description: Listing of Autopilot scenarios -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: low -ms.sitesec: library -ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 ---- - -# Windows Autopilot user-driven mode for Azure Active Directory - -**Applies to: Windows 10** - -DO NOT PUBLISH. This eventually will contain the AAD-specific instuctions currently in user-driven.md. +--- +title: User-driven mode for AAD +description: Listing of Autopilot scenarios +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: low +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/07/2018 +--- + +# Windows Autopilot user-driven mode for Azure Active Directory join + +**Applies to: Windows 10** + +## Procedures + +In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: + +- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. +- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. +- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. + +For each device that will be deployed using user-driven deployment, these additional steps are needed: + +- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. +- Ensure an Autopilot profile has been assigned to the device: + - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. + - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. + - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md index 091783afa4..a5fa678ff4 100644 --- a/windows/deployment/windows-autopilot/user-driven-hybrid.md +++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md @@ -7,14 +7,34 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 11/12/2018 --- -# Windows Autopilot user-driven mode for Hybrid Azure Active Directory Join +# Windows Autopilot user-driven mode for hybrid Azure Active Directory join **Applies to: Windows 10** -DO NOT PUBLISH. This eventually will contain the AD-specific (hybrid) instuctions. This will be in preview at a later point in time. +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). + +## Requirements + +To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: + +- A Windows Autopilot profile for user-driven mode must be created and + - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. +- If using Intune, a device group in Azure Active Directory must exist with the Windows Autopilot profile assigned to that group. +- The device must be running Windows 10, version 1809 or later. +- The device must be connected to the Internet and have access to an Active Directory domain controller. +- The Intune Connector for Active Directory must be installed. + - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. + +**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. + +## Step by step instructions + +See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). + +Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index bb9b722bb6..4fd86ef3b5 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -7,14 +7,13 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.date: 11/07/2018 +ms.author: greg-lindsay +ms.date: 11/07/2018 --- -# Windows Autopilot User-Driven Mode - -**Applies to: Windows 10 version 1703 and above** +# Windows Autopilot user-driven mode Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: @@ -25,23 +24,14 @@ Windows Autopilot user-driven mode is designed to enable new Windows 10 devices After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be supressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. -Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -## Step by step +## Available user-driven modes -In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: +The following options are available for user-driven deployment: -- Ensure that the users who will be performing user-driven mode deployments are able to join devices to Azure Active Directory. See [Configure device settings](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azure-portal#configure-device-settings) in the Azure Active Directory documentation for more information. -- Create an Autopilot profile for user-driven mode with the desired settings. In Microsoft Intune, this mode is explicitly chosen when creating the profile. With Microsoft Store for Business and Partner Center, user-driven mode is the default and does not need to be selected. -- If using Intune, create a device group in Azure Active Directory and assign the Autopilot profile to that group. - -For each machine that will be deployed using user-driven deployment, these additional steps are needed: - -- Ensure that the device has been added to Windows Autopilot. This can be done automatically by an OEM or partner at the time the device is purchased, or it can be done through a manual harvesting process later. See [Adding devices to Windows Autopilot](add-devices.md) for more information. -- Ensure an Autopilot profile has been assigned to the device: - - If using Intune and Azure Active Directory dynamic device groups, this can be done automatically. - - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. +- [Azure Active Directory join](user-driven-aad.md) is available if devices do not need to be joined to an on-prem Active Directory domain. +- [Hybrid Azure Active Directory join](user-driven-hybrid.md) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. ## Validation diff --git a/windows/deployment/windows-autopilot/windows-10-autopilot.md b/windows/deployment/windows-autopilot/windows-10-autopilot.md deleted file mode 100644 index 810bdf70be..0000000000 --- a/windows/deployment/windows-autopilot/windows-10-autopilot.md +++ /dev/null @@ -1,135 +0,0 @@ ---- -title: Overview of Windows Autopilot -description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 08/22/2018 ---- - -# Overview of Windows Autopilot - -**Applies to** - -- Windows 10 - -Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. In addition, you can use Windows Autopilot to reset, repurpose and recover devices.
      -This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. - -The following video shows the process of setting up Autopilot: - -
      - - -## Benefits of Windows Autopilot - -Traditionally, IT pros spend a lot of time on building and customizing images that will later be deployed to devices with a perfectly good OS already installed on them. Windows Autopilot introduces a new approach. - -From the users' perspective, it only takes a few simple operations to make their device ready to use. - -From the IT pros' perspective, the only interaction required from the end user, is to connect to a network and to verify their credentials. Everything past that is automated. - -## Windows Autopilot Scenarios - -### Cloud-Driven - -The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. - -#### The Windows Autopilot Deployment Program experience - -The Windows Autopilot Deployment Program enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -##### Prerequisites - -* [Devices must be registered to the organization](#device-registration-and-oobe-customization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. - -
      - - -#### Device registration and OOBE customization - -To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. - -Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*starting with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -##### Configure MDM auto-enrollment in Microsoft Intune - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -#### Network connectivity requirements - -The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidlines for [Microsoft Intune](https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. - diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md index 919b0f5efa..d71d8e0a81 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot configuration requirements @@ -18,14 +18,14 @@ ms.date: 06/01/2018 Before Windows Autopilot can be used, some configuration tasks are required to support the common Autopilot scenarios. -- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/en-us/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. -- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). -- Enable [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. +- Configure Azure Active Directory automatic enrollment. For Microsoft Intune, see [Enable Windows 10 automatic enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) for details. If using a different MDM service, contact the vendor for the specific URLs or configuration needed for those services. +- Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). +- Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. -- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. +- Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. See [Windows Autopilot Scenarios](windows-autopilot-scenarios.md) for additional details. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md index 8cd71d80c3..e7df24a12c 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md @@ -7,11 +7,12 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 +ms.author: greg-lindsay +ms.date: 10/02/2018 --- - # Windows Autopilot licensing requirements **Applies to: Windows 10** @@ -25,12 +26,13 @@ Windows Autopilot depends on specific capabilities available in Windows 10 and A - Enterprise - Education - One of the following, to provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality: - - Microsoft 365 Business subscriptions - - Microsoft 365 F1 subscriptions - - Microsoft 365 Enterprise E3 or E5 subscriptions, which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) - - Enterprise Mobility + Security E3 or E5 subscriptions, which include all needed Azure AD and Intune features - - Azure Active Directory Premium P1 or P2 and Intune subscriptions (or an alternative MDM service) + - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) + - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) + - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) + - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune) + - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features + - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service) Additionally, the following are also recommended but not required: -- Office 365 ProPlus, which can be deployed easily via Intune (or other MDM services) -- [Windows Subscription Activation](https://docs.microsoft.com/en-us/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise +- [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services) +- [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md index 6ed585912e..5474e7fb94 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot networking requirements @@ -26,7 +26,7 @@ In environments that have more restrictive internet access, or for those that re - **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details: - - + - - **Azure Active Directory.**  User credentials are validated by Azure Active Directory, then the device may also be joined to Azure Active Directory. See the following link for more information: @@ -34,17 +34,17 @@ In environments that have more restrictive internet access, or for those that re - **Intune.**  Once authenticated, Azure Active Directory will trigger the enrollment of the device into the Intune MDM service. See the following link for details: - - (Network communication requirements section) + - (Network communication requirements section) - **Windows Update.**  During the OOBE process, as well as after the Windows 10 OS is fully configured, the Windows Update service is leveraged to retrieve needed updates. - - + - - NOTE:  If Windows Update is inaccessible, the AutoPilot process will still continue. - **Delivery Optimization.**  When downloading Windows Updates and Microsoft Store apps and app updates (with additional content types expected in the future), the Delivery Optimization service is contacted to enable peer-to-peer sharing of content, so that all devices don’t need to download it from the internet. - - + - - NOTE: If Delivery Optimization is inaccessible, the AutoPilot process will still continue. @@ -56,23 +56,23 @@ In environments that have more restrictive internet access, or for those that re - **Diagnostics data.**  To enable Windows Analytics and related diagnostics capabilities, see the following documentation: - - + - - NOTE: If diagnostic data cannot be sent, the Autopilot process will still continue. - **Network Connection Status Indicator (NCSI).**  Windows must be able to tell that the device is able to access the internet. - - (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP) + - (Network Connection Status Indicator section, [www.msftconnecttest.com](http://www.msftconnecttest.com) must be resolvable via DNS and accessible via HTTP) - **Windows Notification Services (WNS).**  This service is used to enable Windows to receive notifications from apps and services. - - (Microsoft store section) + - (Microsoft store section) - NOTE: If the WNS services are not available, the Autopilot process will still continue. - **Microsoft Store, Microsoft Store for Business.**  Apps in the Microsoft Store can be pushed to the device, triggered via Intune (MDM).  App updates and additional apps may also be needed when the user first logs in. - - (also includes Azure AD and Windows Notification Services) + - (also includes Azure AD and Windows Notification Services) - NOTE: If the Microsoft Store is not accessible, the AutoPilot process will still continue. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 1ffd9e4582..e2dc975086 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -7,9 +7,9 @@ ms.mktglfcycl: deploy ms.localizationpriority: high ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 12/13/2018 --- # Windows Autopilot requirements @@ -18,6 +18,14 @@ ms.date: 06/01/2018 Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met: -- [Licensing requirements](windows-autopilot-requirements-licensing.md) must be met. -- [Networking requirements](windows-autopilot-requirements-network.md) need to be met. -- [Configuration requirements](windows-autopilot-requirements-configuration.md) need to be completed. \ No newline at end of file +See the following topics for details on licensing, network, and configuration requirements: +- [Licensing requirements](windows-autopilot-requirements-licensing.md) +- [Networking requirements](windows-autopilot-requirements-network.md) +- [Configuration requirements](windows-autopilot-requirements-configuration.md) + - For details about specific configuration requirements to enable user-driven Hybrid Azure Active Directory join for Windows Autopilot, see [Intune Connector (preview) language requirements](intune-connector.md). This requirement is a temporary workaround, and will be removed in the next release of Intune Connector. + +There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). + +## Related topics + +[Configure Autopilot deployment](configure-autopilot.md) \ No newline at end of file diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md index b8259e9016..c97d79add8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Reset devices with local Windows Autopilot Reset diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md index 7efd53c9f0..1f7cca216f 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Reset devices with remote Windows Autopilot Reset (Preview) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md index 4417198067..9e83d32bbb 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md @@ -8,9 +8,9 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: ms.localizationpriority: medium -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 10/02/2018 --- # Windows Autopilot Reset diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index b832512df1..8dc1b58886 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -7,20 +7,24 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 12/13/2018 --- # Windows Autopilot scenarios **Applies to: Windows 10** -Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management). +Windows Autopilot includes support for a growing list of scenarios, designed to support common organization needs which can vary based on the type of organization and their progress moving to Windows 10 and [transitioning to modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management). For details about these scenarios, see these additional topics: -- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. -- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. -- [Windows Autopilot Reset](windows-autopilot-reset.md), +- [Windows Autopilot for existing devices](existing-devices.md), to deploy Windows 10 on an existing Windows 7 or 8.1 device. +- [Windows Autopilot user-driven mode](user-driven.md), for devices that will be set up by a member of the organization and configured for that person. +- [Windows Autopilot self-deploying mode](self-deploying.md), for devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device. +- [Windows Autopilot Reset](windows-autopilot-reset.md), to re-deploy a device in a business-ready state. +## Related topics + +[Windows Autopilot Enrollment Status page](enrollment-status.md) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index 39eb571f2a..0cf15ed303 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -1,20 +1,25 @@ --- title: Overview of Windows Autopilot description: This topic goes over Windows Autopilot and how it helps setup OOBE Windows 10 devices. -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, msfb, intune ms.prod: w10 ms.mktglfcycl: deploy -ms.localizationpriority: high +ms.localizationpriority: medium ms.sitesec: library ms.pagetype: deploy -author: coreyp-at-msft -ms.author: coreyp -ms.date: 06/01/2018 +author: greg-lindsay +ms.author: greg-lindsay +ms.date: 01/03/2018 --- # Overview of Windows Autopilot -**Applies to: Windows 10** +**Applies to** + +- Windows 10 + +Windows Autopilot is a collection of technologies used to set up and pre-configure new devices, getting them ready for productive use. You can also use Windows Autopilot to reset, repurpose and recover devices.
      +This solution enables an IT department to achieve the above with little to no infrastructure to manage, with a process that's easy and simple. Windows Autopilot is designed to simplify all parts of the lifecycle of Windows devices, for both IT and end users, from initial deployment through the eventual end of life. Leveraging cloud-based services, it can reduce the overall costs for deploying, managing, and retiring devices by reducing the amount of time that IT needs to spend on these processes and the amount of infrastructure that they need to maintain, while ensuring ease of use for all types of end users. @@ -24,3 +29,46 @@ When initially deploying new Windows devices, Windows Autopilot leverages the OE Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intune, Windows Update for Business, System Center Configuration Manager, and other similar tools. Windows Autopilot can help with device re-purposing scenarios, leveraging Windows Autopilot Reset to quickly prepare a device for a new user, as well as in break/fix scenarios to enable a device to quickly be brought back to a business-ready state. +## Windows Autopilot walkthrough + +The following video shows the process of setting up Windows Autopilot: + +
      + + + +## Benefits of Windows Autopilot + +Traditionally, IT pros spend a lot of time building and customizing images that will later be deployed to devices. Windows Autopilot introduces a new approach. + +From the user's perspective, it only takes a few simple operations to make their device ready to use. + +From the IT pro's perspective, the only interaction required from the end user is to connect to a network and to verify their credentials. Everything past that is automated. + +## Requirements + +Windows 10 version 1703 or higher is required to use Windows Autopilot. The following editions are supported: +- Pro +- Pro Education +- Pro for Workstations +- Enterprise +- Education + +See [Windows Autopilot requirements](windows-autopilot-requirements.md) for detailed information on configuration, network, and licensing requirements. + +## Windows Autopilot Scenarios + +Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required by the user. + +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. + +See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for more information about scenarios for using Windows Autopilot. + +## Related topics + +[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot) \ No newline at end of file diff --git a/windows/docfx.json b/windows/docfx.json index f1253f1567..9ac35033eb 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -9,7 +9,7 @@ ], "resource": [ { - "files": ["**/images/**", "**/*.json"], + "files": ["**/images/**"], "exclude": ["**/obj/**"] } ], diff --git a/windows/eulas/TOC.yml b/windows/eulas/TOC.yml new file mode 100644 index 0000000000..b5ef71ac32 --- /dev/null +++ b/windows/eulas/TOC.yml @@ -0,0 +1,2 @@ +- name: Index + href: index.md \ No newline at end of file diff --git a/windows/eulas/breadcrumb/toc.yml b/windows/eulas/breadcrumb/toc.yml new file mode 100644 index 0000000000..61d8fca61e --- /dev/null +++ b/windows/eulas/breadcrumb/toc.yml @@ -0,0 +1,3 @@ +- name: Docs + tocHref: / + topicHref: / \ No newline at end of file diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json new file mode 100644 index 0000000000..ff3ab96c92 --- /dev/null +++ b/windows/eulas/docfx.json @@ -0,0 +1,47 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md", + "**/*.yml" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "_themes/**", + "_themes.pdf/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": { + "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json", + "extendBreadcrumb": true, + "feedback_system": "None" + }, + "fileMetadata": {}, + "template": [], + "dest": "eula-vsts", + "markdownEngineName": "markdig" + } +} \ No newline at end of file diff --git a/windows/eulas/index.md b/windows/eulas/index.md new file mode 100644 index 0000000000..2eb00343d3 --- /dev/null +++ b/windows/eulas/index.md @@ -0,0 +1,12 @@ +--- +title: Windows 10 - Testing in live +description: What are Windows, UWP, and Win32 apps +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: mobile +ms.author: elizapo +author: lizap +ms.localizationpriority: medium +--- +# Testing non-editability diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md index 6a6cc2230e..1883594880 100644 --- a/windows/hub/TOC.md +++ b/windows/hub/TOC.md @@ -1,5 +1,6 @@ # [Windows 10 and Windows 10 Mobile](index.md) ## [What's new](/windows/whats-new) +## [Release information](release-information.md) ## [Deployment](/windows/deployment) ## [Configuration](/windows/configuration) ## [Client management](/windows/client-management) diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 781df2941e..d62fafe3c4 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -38,7 +38,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "brianlic", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/hub/index.md b/windows/hub/index.md index adbc774252..dac41359d2 100644 --- a/windows/hub/index.md +++ b/windows/hub/index.md @@ -8,7 +8,7 @@ author: greg-lindsay ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- # Windows 10 and Windows 10 Mobile @@ -18,15 +18,16 @@ Find the latest how to and support content that IT pros need to evaluate, plan,   -> [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false] + +> [!video https://www.youtube.com/embed/hAva4B-wsVA] -## Check out [what's new in Windows 10, version 1803](/windows/whats-new/whats-new-windows-10-version-1803). +## Check out [what's new in Windows 10, version 1809](/windows/whats-new/whats-new-windows-10-version-1809).
      @@ -71,9 +72,11 @@ These improvements focus on maximizing customer involvement in Windows developme - [Read more about Windows as a Service](/windows/deployment/update/waas-overview) + ## Related topics [Windows 10 TechCenter](https://go.microsoft.com/fwlink/?LinkId=620009) +   diff --git a/windows/hub/release-information.md b/windows/hub/release-information.md new file mode 100644 index 0000000000..89d0606cfe --- /dev/null +++ b/windows/hub/release-information.md @@ -0,0 +1,37 @@ +--- +title: Windows 10 - release information +description: Learn release information for Windows 10 releases +keywords: ["Windows 10", "Windows 10 October 2018 Update"] +ms.prod: w10 +layout: LandingPage +ms.topic: landing-page +ms.mktglfcycl: deploy +ms.sitesec: library +author: lizap +ms.author: elizapo +ms.localizationpriority: high +--- +# Windows 10 - Release information + +>[!IMPORTANT] +> The URL for the release information page has changed - update your bookmark! + +Microsoft has updated its servicing model. The Semi-Annual Channel (SAC) offers twice-per-year feature updates that release around March and September, with an 18-month servicing period for each release. Starting with Windows 10, version 1809, feature updates for Windows 10 Enterprise and Education editions with a targeted release month of September will be serviced for 30 months from their release date (more information can be found [here](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/)). + +If you are not using Windows Update for Business today, “Semi-Annual Channel (Targeted)” (SAC-T) has no impact on your devices (more information can be found [here](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747)), and we recommend you begin deployment of each Semi-Annual Channel release right away to devices selected for early adoption and ramp up to full deployment at your discretion. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. + +If you are using Windows Update for Business today, refer to the table below to understand when your device will be updated, based on which deferral period you have configured, SAC -T or SAC. + +**Notice: November 13, 2018:** All editions of Windows 10 October 2018 Update, version 1809, for Windows client and server have resumed. Customers currently running Windows 10, version 1809, will receive build 17763.134 as part of our regularly scheduled Update Tuesday servicing in November. If you update to the Window 10, version 1809, feature update you will receive build 17763.107. On the next automatic scan for updates, you’ll be taken to the latest cumulative update (build 17763.134 or higher). + +November 13 marks the revised start of the servicing timeline for the Semi-Annual Channel ("Targeted") and Long-Term Servicing Channel (LTSC) release for Windows 10, version 1809, Windows Server 2019, and Windows Server, version 1809. + +For information about the re-release and updates to the support lifecycle, refer to [John Cable's blog](https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/), [Windows 10 Update History](https://support.microsoft.com/help/4464619), and the [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853). + +
      +
      + + +
      + + diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md new file mode 100644 index 0000000000..f50049e9bc --- /dev/null +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -0,0 +1,180 @@ +--- +title: Diagnostic Data Viewer for PowerShell Overview (Windows 10) +description: Use this article to use the Diagnostic Data Viewer for PowerShell to review the diagnostic data sent to Microsoft by your device. +keywords: privacy +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: brianlic-msft +ms.author: brianlic +ms.date: 01/17/2018 +--- + +# Diagnostic Data Viewer for PowerShell Overview + +**Applies to** + +- Windows 10, version 1809 +- Windows 10, version 1803 +- Windows Server, version 1803 +- Windows Server 2019 + +## Introduction +The Diagnostic Data Viewer for PowerShell is a PowerShell module that lets you review the diagnostic data your device is sending to Microsoft, grouping the info into simple categories based on how it's used by Microsoft. + +## Requirements + +You must have administrative privilege on the device in order to use this PowerShell module. This module requires OS version 1803 and higher. + +## Install and Use the Diagnostic Data Viewer for PowerShell + +You must install the module before you can use the Diagnostic Data Viewer for PowerShell. + +### Opening an Elevated PowerShell session + +Using the Diagnostic Data Viewer for PowerShell requires administrative (elevated) privilege. There are two ways to open an elevated PowerShell prompt. You can use either method. +- Go to **Start** > **Windows PowerShell** > **Run as administrator** +- Go to **Start** > **Command prompt** > **Run as administrator**, and run the command `C:\> powershell.exe` + +### Install the Diagnostic Data Viewer for PowerShell + + >[!IMPORTANT] + >It is recommended to visit the documentation on [Getting Started](https://docs.microsoft.com/en-us/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + +To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: +```powershell +PS C:\> Install-Module -Name Microsoft.DiagnosticDataViewer +``` + +To see more information about the module, visit [PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer). + +### Turn on data viewing +Before you can use this tool, you must turn on data viewing. Turning on data viewing enables Windows to store a local history of your device's diagnostic data for you to view until you turn it off. + +Note that this setting does not control whether your device sends diagnostic data. Instead, it controls whether your Windows device saves a local copy of the diagnostic data sent for your viewing. + +**To turn on data viewing through the Settings page** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn on data viewing](images/ddv-data-viewing.png) + +**To turn on data viewing through PowerShell** + +Run the following command within an elevated PowerShell session: + +```powershell +PS C:\> Enable-DiagnosticDataViewing +``` + +Once data viewing is enabled, your Windows machine will begin saving a history of diagnostic data that is sent to Microsoft from this point on. + + >[!IMPORTANT] + >Turning on data viewing can use up to 1GB (default setting) of disk space on your system drive. We recommend that you turn off data viewing when you're done using the Diagnostic Data Viewer. For info about turning off data viewing, see the [Turn off data viewing](#turn-off-data-viewing) section in this article. + + +### Getting Started with Diagnostic Data Viewer for PowerShell +To see how to use the cmdlet, the parameters it accepts, and examples, run the following command from an elevated PowerShell session: + +```powershell +PS C:\> Get-Help Get-DiagnosticData +``` + +**To Start Viewing Diagnostic Data** + +From an elevated PowerShell session, run the following command: + +```powershell +PS C:\> Get-DiagnosticData +``` + +If the number of events is large, and you'd like to stop the command, enter `Ctrl+C`. + + >[!IMPORTANT] + >The above command may produce little to no results if you enabled data viewing recently. It can take several minutes before your Windows device can show diagnostic data it has sent. Use your device as you normally would in the mean time and try again. + +### Doing more with the Diagnostic Data Viewer for PowerShell +The Diagnostic Data Viewer for PowerShell provides you with the following features to view and filter your device's diagnostic data. You can also use the extensive suite of other PowerShell tools with this module. + +- **View your diagnostic events.** Running `PS C:\> Get-DiagnosticData`, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. + + Each event is displayed as a PowerShell Object. By default each event shows the event name, the time when it was seen by your Windows device, whether the event is [Basic](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization), its [diagnostic event category](#view-diagnostic-event-categories), and a detailed JSON view of the information it contains, which shows the event exactly as it was when sent to Microsoft. Microsoft uses this info to continually improve the Windows operating system. + +- **View Diagnostic event categories.** Each event shows the diagnostic event categories that it belongs to. These categories define how events are used by Microsoft. The categories are shown as numeric identifiers. For more information about these categories, see [Windows Diagnostic Data](https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data). + + To view the diagnostic category represented by each numeric identifier and what the category means, you can run the command: + + ```powershell + PS C:\> Get-DiagnosticDataTypes + ``` + +- **Filter events by when they were sent.** You can view events within specified time ranges by specifying a start time and end time of each command. For example, to see all diagnostic data sent between 12 and 6 hours ago, run the following command. Note that data is shown in order of oldest first. + ```powershell + PS C:\> Get-DiagnosticData -StartTime (Get-Date).AddHours(-12) -EndTime (Get-Date).AddHours(-6) + ``` + +- **Export the results of each command.** You can export the results of each command to a separate file such as a csv by using pipe `|`. For example, + + ```powershell + PS C:\> Get-DiagnosticData | Export-Csv 'mydata.csv' + ``` + +## Turn off data viewing +When you're done reviewing your diagnostic data, we recommend turning off data viewing to prevent using up more memory. Turning off data viewing stops Windows from saving a history of your diagnostic data and clears the existing history of diagnostic data from your device. + +**To turn off data viewing through the Settings page** +1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. + +2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn off data viewing](images/ddv-settings-off.png) + +**To turn off data viewing through PowerShell** + +Within an elevated PowerShell session, run the following command: + +```powershell +PS C:\> Disable-DiagnosticDataViewing +``` + +## Modifying the size of your data history +By default, the tool will show you up to 1GB or 30 days of data (whichever comes first). Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. + +**Modify the size of your data history** + + >[!IMPORTANT] + >Modifying the maximum amount of diagnostic data viewable by the tool may come with performance impacts to your machine. + +You can change the maximum data history size (in megabytes) that you can view. For example, to set the maximum data history size to 2048MB (2GB), you can run the following command. + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Size 2048 +``` + +You can change the maximum data history time (in hours) that you can view. For example, to set the maximum data history time to 24 hours, you can run the following command. + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Time 24 +``` + + >[!IMPORTANT] + >You may need to restart your machine for the new settings to take effect. + + >[!IMPORTANT] + >If you have the [Diagnostic Data Viewer](diagnostic-data-viewer-overview.md) store app installed on the same device, modifications to the size of your data history through the PowerShell module will also be reflected in the app. + +**Reset the size of your data history** + +To reset the maximum data history size back to its original 1GB default value, run the following command in an elevated PowerShell session: + +```powershell +PS C:\> Set-DiagnosticStoreCapacity -Size 1024 -Time 720 +``` + + +## Related Links +- [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) +- [Documentation for Diagnostic Data Viewer for PowerShell](https://docs.microsoft.com/en-us/powershell/module/microsoft.diagnosticdataviewer/?view=win10-ps) \ No newline at end of file diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md index 085675fdde..d581476641 100644 --- a/windows/privacy/TOC.md +++ b/windows/privacy/TOC.md @@ -1,10 +1,13 @@ # [Privacy](index.yml) ## [Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md) -## [Windows 10 and the GDPR for IT Decision Makers](gdpr-it-guidance.md) +## [Windows and the GDPR: Information for IT Administrators and Decision Makers](gdpr-it-guidance.md) ## [Windows 10 personal data services configuration](windows-personal-data-services-configuration.md) ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) -## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +## Diagnostic Data Viewer +### [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md) +### [Diagnostic Data Viewer for PowerShell Overview](Microsoft-DiagnosticDataViewer.md) ## Basic level Windows diagnostic data events and fields +### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) ### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) ### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) ### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) @@ -13,7 +16,10 @@ ## Full level categories ### [Windows 10, version 1709 and newer diagnostic data for the Full level](windows-diagnostic-data.md) ### [Windows 10, version 1703 diagnostic data for the Full level](windows-diagnostic-data-1703.md) -## [Manage Windows 10 connection endpoints](manage-windows-endpoints.md) +## Manage Windows 10 connection endpoints +### [Connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +### [Connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +### [Connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) ### [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) ### [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) ## [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index 371890febb..79ef8ac888 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 12/27/2018 --- @@ -20,7 +20,7 @@ ms.date: 09/10/2018 - Windows 10, version 1703 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -29,6 +29,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) @@ -1472,6 +1473,12 @@ The following fields are available: - **SocketCount** Number of physical CPU sockets of the machine. +### Census.Security + +Provides information on several important data points about security settings. + + + ### Census.Speech This event is used to gather basic speech settings on the device. @@ -1750,8 +1757,106 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Content Delivery Manager events + +### Microsoft.Windows.ContentDeliveryManager.ProcessCreativeEvent + +This event sends tracking data about the reliability of interactions with Windows spotlight content, to help keep Windows up to date. + +The following fields are available: + +- **creativeId** A serialized string containing the ID of the offer being rendered, the ID of the current rotation period, the ID of the surface/ring/market combination, the offer index in the current branch, the ID of the batch, the rotation period length, and the expiration timestamp. +- **eventToken** In there are multiple item offers, such as Start tiles, this indicates which tile the event corresponds to. +- **eventType** A code that indicates the type of creative event, such a impression, click, positive feedback, negative feedback, etc.. +- **placementId** Name of surface, such as LockScreen or Start. + + +### Microsoft.Windows.ContentDeliveryManager.ReportPlacementHealth + +This event sends aggregated client health data, summarizing information about the state of offers on a device, to help keep Windows up to date. + +The following fields are available: + +- **dataVersion** Schema version of the event that is used to determine what serialized content is available for placementReportedInfo and trackingInfo fields. +- **healthResult** A code that identifies user account health status as Unknown, Healthy, Unhealthy. +- **healthStateFlags** A code that represents a set of flags used to group devices in a health/unhealthy way. For example, Unhealthy, Healthy, RefreshNotScheduled, EmptyResponse, RenderedDefault, RenderFailure, RenderDelayed, and CacheEmpty. +- **placementHealthId** A code that represents which surface's health is being reported. For example, Default, LockScreen, LockScreenOverlay, StartMenu, SoftLanding, DefaultStartLayout1, DefaultStartLayout2, OemPreInstalledApps, FeatureManagement, SilentInstalledApps, NotificationChannel, SuggestedPenAppsSubscribedContent, TestAppSubscribedContent, OneDriveSyncNamespaceSubscribedContent, OneDriveLocalNamespaceSubscribedContent, OneDriveSyncNamespaceInternalSubscribedContent, and OneDriveLocalNamespaceInternalSubscribedContent. +- **placementReportedInfo** Serialized information that contains domain-specific health information written by each surface, such as lastUpportunityTime, lastOpportunityReportedTime, expectedExpirationTime, and rotationPeriod. +- **trackingInfo** Serialized information that contains domain-specific health information written by the content delivery manager, such as lastRefreshTime, nextRefreshTime, nextUpdateTime,renderPriorToLastOpportunityTime, lastRenderTime, lastImpressionTime, lastRulesRegistrationTime, registrationTime, lastRefreshBatchCount, lastEligibleCreativeCount, availableAppSlotCount, placeholderAppSlotCount, lastRenderSuccess, lastRenderDefault, isEnabled. + + +### Microsoft.Windows.ContentDeliveryManager.ReportPlacementState + +This event sends data about the opt-out state of a device or user that uses Windows spotlight, to help keep Windows up to date. + +The following fields are available: + +- **isEnabled** Indicates if the surface is enable to receive offers. +- **lastImpressionTime** The time when the last offer was seen. +- **lastRenderedCreativeId** ID of the last offer rendered by the surface. +- **lastRenderedTime** The time that the last offer was rendered. +- **nextRotationTime** The time in which the next offer will be rendered. +- **placementName** Name of surface, such as LockScreen or Start. +- **placementStateReportFlags** Flags that represent if the surface is capable of receiving offers, such as off by edition, off by Group Policy, off by user choice. +- **selectedPlacementId** ID of the surface/ring/markey combination, such as Lock-Internal-en-US. + + ## Diagnostic data events +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. + +The following fields are available: + +- **AbnormalShutdownBootId** Retrieves the Boot ID for which the abnormal shutdown was observed. +- **CrashDumpEnabled** Indicates whether crash dumps are enabled. +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. +- **FirmwareResetReasonEmbeddedController** Firmware-supplied reason for the reset. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional data related to the reset reason provided by the firmware. +- **FirmwareResetReasonPch** Hardware-supplied reason for the reset. +- **FirmwareResetReasonPchAdditional** Additional data related to the reset reason provided by the hardware. +- **FirmwareResetReasonSupplied** Indicates whether the firmware supplied any reset reason. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **LastBugCheckBootId** The Boot ID of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastSuccessfullyShutdownBootId** The Boot ID of the last fully successful shutdown. +- **PowerButtonCumulativePressCount** Indicates the number of times the power button has been pressed ("pressed" not to be confused with "released"). +- **PowerButtonCumulativeReleaseCount** Indicates the number of times the power button has been released ("released" not to be confused with "pressed"). +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record Power Button metrics (e.g.: due to a failure to lock/update the bootstat file). +- **PowerButtonLastPressBootId** The Boot ID of the last time the Power Button was detected to have been pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastPressTime** The date and time the Power Button was most recently pressed ("pressed" not to be confused with "released"). +- **PowerButtonLastReleaseBootId** The Boot ID of the last time the Power Button was released ("released" not to be confused with "pressed"). +- **PowerButtonLastReleaseTime** The date and time the Power Button was most recently released ("released" not to be confused with "pressed"). +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the Power Button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** The last stage completed when the Power Button was most recently pressed. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **TransitionInfoBootId** The Boot ID of the captured transition information. +- **TransitionInfoCSCount** The total number of times the system transitioned from "Connected Standby" mode to "On" when the last marker was saved. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered "Connected Standby" mode ("entered" not to be confused with "exited"). +- **TransitionInfoCSExitReason** Indicates the reason the device last exited "Connected Standby" mode ("exited" not to be confused with "entered"). +- **TransitionInfoCSInProgress** Indicates whether the system was in or entering Connected Standby mode when the last marker was saved. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp. +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoPowerButtonTimestamp** The most recent date and time when the Power Button was pressed (collected via a different mechanism than PowerButtonLastPressTime). +- **TransitionInfoSleepInProgress** Indicates whether the system was in or entering Sleep mode when the last marker was saved. +- **TransitionInfoSleepTranstionsToOn** The total number of times the system transitioned from Sleep mode to on, when the last marker was saved. +- **TransitionInfoSystemRunning** Indicates whether the system was running when the last marker was saved. +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. + + ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -1849,6 +1954,24 @@ The following fields are available: - **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex. +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + + + +### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate + +This event is triggered when UTC determines it needs to send information about personalization settings of the user. + + + ## DxgKernelTelemetry events ### DxgKrnlTelemetry.GPUAdapterInventoryV2 @@ -2058,6 +2181,23 @@ The following fields are available: - **devinv.dll** The file version of the Device inventory component. +### Microsoft.Windows.Inventory.Core.FileSigningInfoAdd + +This event enumerates the signatures of files, either driver packages or application executables. For driver packages, this data is collected on demand via Telecommand to limit it only to unrecognized driver packages, saving time for the client and space on the server. For applications, this data is collected for up to 10 random executables on a system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **CatalogSigners** Signers from catalog. Each signer starts with Chain. +- **DriverPackageStrongName** Optional. Available only if FileSigningInfo is collected on a driver package. +- **EmbeddedSigners** Embedded signers. Each signer starts with Chain. +- **FileName** The file name of the file whose signatures are listed. +- **FileType** Either exe or sys, depending on if a driver package or application executable. +- **InventoryVersion** The version of the inventory file generating the events. +- **Thumbprint** Comma separated hash of the leaf node of each signer. Semicolon is used to separate CatalogSigners from EmbeddedSigners. There will always be a trailing comma. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd This event sends basic metadata about an application on the system to help keep Windows up to date. @@ -2379,6 +2519,90 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Invalid variant - Provides data on the installed Office Add-ins + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + + + ### Microsoft.Windows.Inventory.Indicators.Checksum This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. @@ -2463,6 +2687,31 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +### Microsoft.Windows.Kernel.Power.OSStateChange + +This event denotes the transition between operating system states (e.g., On, Off, Sleep, etc.). By using this event with Windows Analytics, organizations can use this to help monitor reliability and performance of managed devices. + +The following fields are available: + +- **AcPowerOnline** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power. +- **ActualTransitions** This will give the actual transitions number +- **BatteryCapacity** Maximum battery capacity in mWh +- **BatteryCharge** Current battery charge as a percentage of total capacity +- **BatteryDischarging** Flag indicating whether the battery is discharging or charging +- **BootId** Monotonically increasing boot id, reset on upgrades. +- **BootTimeUTC** Boot time in UTC  file time. +- **EventSequence** Monotonically increasing event number for OsStateChange events logged during this boot. +- **LastStateTransition** The previous state transition on the device. +- **LastStateTransitionSub** The previous state subtransition on the device. +- **StateDurationMS** Milliseconds spent in the state being departed +- **StateTransition** Transition type PowerOn=1, Shutdown, Suspend, Resume, Heartbeat. +- **StateTransitionSub** Subtransition type Normal=1, Reboot, Hiberboot, Standby, Hibernate, ConnectedStandby, Reserved, HybridSleep. +- **TotalDurationMS** Total time device has been up in milliseconds in wall clock time. +- **TotalUptimeMS** Total time device has been on (not in a suspended state) in milliseconds. +- **TransitionsToOn** TransitionsToOn increments each time the system successfully completes a system sleep event, and is sent as part of the PowerTransitionEnd ETW event. +- **UptimeDeltaMS** Duration in last state in milliseconds. + + ## OneDrive events ### Microsoft.OneDrive.Sync.Setup.APIOperation @@ -2519,43 +2768,6 @@ The following fields are available: - **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. -### Microsoft.OneDrive.Sync.Setup.SetupCommonData - -This event contains basic OneDrive configuration data that helps to diagnose failures. - -The following fields are available: - -- **AppVersion** The version of the app. -- **BuildArchitecture** Is the architecture x86 or x64? -- **Environment** Is the device on the production or int service? -- **MachineGuid** The CEIP machine ID. -- **Market** Which market is this in? -- **MSFTInternal** Is this an internal Microsoft device? -- **OfficeVersionString** The version of Office that is installed. -- **OSDeviceName** Only if the device is internal to Microsoft, the device name. -- **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** The CEIP user ID. - - -### Microsoft.OneDrive.Sync.Updater.CommonData - -This event contains basic OneDrive configuration data that helps to diagnose failures. - -The following fields are available: - -- **AppVersion** The version of the app. -- **BuildArch** Is the architecture x86 or x64? -- **Environment** Is the device on the production or int service? -- **IsMSFTInternal** Is this an internal Microsoft device? -- **MachineGuid** The CEIP machine ID. -- **Market** Which market is this in? -- **OfficeVersion** The version of Office that is installed. -- **OneDriveDeviceId** The OneDrive device ID. -- **OSDeviceName** Only if the device is internal to Microsoft, the device name. -- **OSUserName** Only if the device is internal to Microsoft, the user name. -- **UserGuid** A unique global user identifier. - - ### Microsoft.OneDrive.Sync.Updater.ComponentInstallState This event includes basic data about the installation state of dependent OneDrive components. @@ -2605,12 +2817,12 @@ The following fields are available: ### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult -This event determines the outcome of the operation. +This event sends information describing the result of the update. The following fields are available: - **hr** The HResult of the operation. -- **IsLoggingEnabled** Is logging enabled? +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. - **UpdaterVersion** The version of the updater. @@ -2795,8 +3007,8 @@ The following fields are available: - **ServiceHealthPlugin** The nae of the Service Health plug-in. - **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. - **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. @@ -2807,7 +3019,7 @@ The following fields are available: - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. - **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. - **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. - **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. @@ -2939,11 +3151,11 @@ This event reports whether a plug-in started, to help ensure Windows is up to da The following fields are available: -- **CV** The Correlation Vector. -- **GlobalEventCounter** The client-side counter that indicates ordering of events. -- **PackageVersion** The version number of the current remediation package. -- **PluginName** The name of the plug-in specified for each generic plug-in event. -- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. ### Microsoft.Windows.Remediation.wilResult @@ -3714,7 +3926,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3750,7 +3962,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Unique revision number of Update -- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store. +- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store. - **SystemBIOSMajorRelease** Major version of the BIOS. - **SystemBIOSMinorRelease** Minor version of the BIOS. - **UpdateId** Unique Update ID @@ -3864,6 +4076,30 @@ The following fields are available: - **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state + + ### SoftwareUpdateClientTelemetry.Install This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. @@ -3928,7 +4164,7 @@ The following fields are available: - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -3972,7 +4208,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -3993,7 +4229,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -4118,6 +4354,22 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgent_FellBackToCanonical + +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **PackageCount** The number of packages that fell back to “canonical”. +- **PackageList** PackageIDs which fell back to “canonical”. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgent_Initialize This event sends data during the initialize phase of updating Windows. @@ -4152,6 +4404,22 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgent_Merge + +This event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgent_ModeStart This event sends data for the start of each mode during the process of updating Windows. @@ -4184,6 +4452,130 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCountOptional** # of optional packages requested. +- **PackageCountRequired** # of required packages requested. +- **PackageCountTotal** Total # of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + ## Upgrade events ### Setup360Telemetry.Downlevel @@ -4375,6 +4767,24 @@ This event helps determine whether the device received supplemental content duri +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4416,14 +4826,64 @@ The following fields are available: - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -## Windows Store events +### WerTraceloggingProvider.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. + +The following fields are available: + +- **AppName** The name of the app that crashed. +- **AppSessionGuid** The unique ID used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date time stamp of the app. +- **AppVersion** The version of the app that crashed. +- **ExceptionCode** The exception code returned by the process that crashed. +- **ExceptionOffset** The address where the exception occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, do not terminate the process after reporting. +- **ModName** The module name of the process that crashed. +- **ModTimeStamp** The date time stamp of the module. +- **ModVersion** The module version of the process that crashed. +- **PackageFullName** The package name if the crashing application is packaged. +- **PackageRelativeAppId** The relative application ID if the crashing application is packaged. +- **ProcessArchitecture** The architecture of the system. +- **ProcessCreateTime** The time of creation of the process that crashed. +- **ProcessId** The ID of the process that crashed. +- **ReportId** A unique ID used to identify the report. This can be used to track the report. +- **TargetAppId** The target app ID. +- **TargetAppVer** The target app version. + + +## Windows Phone events + +### Microsoft.Windows.Phone.Telemetry.OnBoot.RebootReason + +This event lists the reboot reason when an app is going to reboot. + +The following fields are available: + +- **BootId** The boot ID. +- **BoottimeSinceLastShutdown** The boot time since the last shutdown. +- **RebootReason** Reason for the reboot. + + +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -4447,7 +4907,7 @@ The following fields are available: - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** Licensing identity of this package. +- **WUContentId** The Windows Update content ID. ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds @@ -4819,11 +5279,11 @@ The following fields are available: - **errorCode** The error code that was returned. - **experimentId** When running a test, this is used to correlate events that are part of the same test. - **fileID** The ID of the file being downloaded. -- **isVpn** Is the device connected to a Virtual Private Network? +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). - **scenarioID** The ID of the scenario. - **sessionID** The ID of the file download session. - **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted @@ -4862,7 +5322,7 @@ The following fields are available: - **updateID** The ID of the update being downloaded. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused @@ -5146,6 +5606,17 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery). +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.Detection This event indicates that a scan for a Windows Update occurred. @@ -5240,6 +5711,30 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PostInstall This event is sent after a Windows update install completes. @@ -5256,6 +5751,15 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + ### Microsoft.Windows.Update.Orchestrator.RebootFailed This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. @@ -5276,6 +5780,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. @@ -5332,6 +5848,45 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **errorCode** result showing success or failure of current update +- **revisionNumber** Unique revision number of the Update +- **updateId** Unique ID for Update +- **updateState** Progress within an update state +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + ### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date. @@ -5352,6 +5907,28 @@ The following fields are available: - **WUDeviceID** The Windows Update device ID. +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5390,7 +5967,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date. +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. The following fields are available: @@ -5406,6 +5983,14 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS Updates. + + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon @@ -5414,4 +5999,41 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 665450f693..63376e03ed 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 12/13/2018 --- @@ -20,7 +20,7 @@ ms.date: 09/10/2018 - Windows 10, version 1709 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -29,6 +29,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) @@ -64,16 +65,16 @@ The following fields are available: - **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. - **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. - **PCFP** An ID for the system, calculated by hashing hardware identifiers. -- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of SystemMemory objects present on this machine. - **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. - **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. -- **SystemProcessorNx** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The count of SystemProcessorNx objects present on this machine. - **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine. - **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine. - **SystemTouch** The count of SystemTouch objects present on this machine. @@ -1208,6 +1209,23 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + ### Microsoft.Windows.Appraiser.General.SystemWlanRemove This event indicates that the SystemWlan object is no longer present. @@ -1524,16 +1542,16 @@ The following fields are available: - **KvaShadow** Microcode info of the processor. - **MMSettingOverride** Microcode setting of the processor. - **MMSettingOverrideMask** Microcode setting override of the processor. -- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. -- **ProcessorClockSpeed** Clock speed of the processor in MHz. -- **ProcessorCores** Number of logical cores in the processor. -- **ProcessorIdentifier** Processor Identifier of a manufacturer. -- **ProcessorManufacturer** Name of the processor manufacturer. -- **ProcessorModel** Name of the processor model. +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. The complete list of values can be found in DimProcessorArchitecture. +- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz. +- **ProcessorCores** Retrieves the number of cores in the processor. +- **ProcessorIdentifier** The processor identifier of a manufacturer. +- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer. +- **ProcessorModel** Retrieves the name of the processor model. - **ProcessorPhysicalCores** Number of physical cores in the processor. -- **ProcessorUpdateRevision** Microcode revision +- **ProcessorUpdateRevision** Retrieves the processor architecture of the installed operating system. - **ProcessorUpdateStatus** Enum value that represents the processor microcode load status -- **SocketCount** Count of CPU sockets. +- **SocketCount** Number of physical CPU sockets of the machine. - **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. @@ -1546,7 +1564,7 @@ The following fields are available: - **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. - **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. - **DGState** This field summarizes the Device Guard state. -- **HVCIRunning** Is HVCI running? +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. - **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. - **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. - **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. @@ -1840,6 +1858,57 @@ The following fields are available: - **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. +## Component-based Servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **highestState** The highest final install state of the optional content. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + ## Diagnostic data events ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition @@ -1850,7 +1919,13 @@ This event sends data indicating that a device has undergone a change of telemet ### TelClientSynthetic.AuthorizationInfo_Startup -This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. +Fired by UTC at startup to signal what data we are allowed to collect. + + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. @@ -1888,6 +1963,88 @@ The following fields are available: - **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. +### TelClientSynthetic.TailoredExperiencesWithDiagnosticDataUpdate + +This event is triggered when UTC determines it needs to send information about personalization settings of the user. + + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Feature update events ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed @@ -1915,6 +2072,33 @@ This event sends basic metadata about the starting point of uninstalling a featu +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -1991,13 +2175,13 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: -- **InventoryVersion** The version of the inventory component +- **InventoryVersion** The version of the inventory component. - **ProgramIds** The unique program identifier the driver is associated with. ### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync -The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. +This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). @@ -2360,22 +2544,22 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AddinCLSID** The CLSID for the Office addin -- **AddInCLSID** The CLSID for the Add-in -- **AddInId** Add-In identifier +- **AddInCLSID** CLSID key for the office addin +- **AddInId** Office addin ID - **AddinType** The type of the Office addin. - **BinFileTimestamp** Timestamp of the Office addin - **BinFileVersion** Version of the Office addin -- **Description** Add-in description +- **Description** Office addin description - **FileId** FileId of the Office addin - **FileSize** File size of the Office addin -- **FriendlyName** Add-in friendly name -- **FullPath** Full path to the add-in module -- **LoadBehavior** The load behavior -- **LoadTime** The load time for the add-in -- **OfficeApplication** The Microsoft Office application associated with the add-in +- **FriendlyName** Friendly name for office addin +- **FullPath** Unexpanded path to the office addin +- **LoadBehavior** Uint32 that describes the load behavior +- **LoadTime** Load time for the office add in +- **OfficeApplication** The office application for this add in - **OfficeArchitecture** Architecture of the addin -- **OfficeVersion** The Microsoft Office version installed -- **OutlookCrashingAddin** Whether the Outlook addin is crashing +- **OfficeVersion** The office version for this add in +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add in - **ProductCompany** The name of the company associated with the Office addin - **ProductName** The product name associated with the Office addin - **ProductVersion** The version associated with the Office addin @@ -2702,6 +2886,111 @@ The following fields are available: - **UserInputTime** The amount of time the loader application spent waiting for user input. +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** The result code of the last action performed before this operation +- **IsSuccess** Was the operation successful? +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + ## Remediation events ### Microsoft.Windows.Remediation.Applicable @@ -2715,7 +3004,6 @@ The following fields are available: - **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. - **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. - **AppraiserTaskDisabled** Indicates the appraiser task is disabled. -- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. - **CV** Correlation vector - **DateTimeDifference** The difference between local and reference clock times. - **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. @@ -2897,8 +3185,8 @@ The following fields are available: - **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. - **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. - **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. -- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes. -- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. - **uninstallActive** TRUE if previous uninstall has occurred for current OS - **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. - **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. @@ -2910,7 +3198,7 @@ The following fields are available: - **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. - **usoScanIsUserLoggedOn** TRUE if the user is logged on. - **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). -- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". - **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. - **windowsEditionId** Event to report the value of Windows Edition ID. - **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. @@ -2956,6 +3244,54 @@ The following fields are available: ## Sediment events +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + + + +### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings + +This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. + +The following fields are available: + +- **CustomVer** The registry value for targeting. +- **IsMetered** TRUE if the machine is on a metered network. +- **LastVer** The version of the last successful run. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + +### Microsoft.Windows.Sediment.OSRSS.Error + +This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -3181,6 +3517,32 @@ The following fields are available: ## Setup events +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + ### SetupPlatformTel.SetupPlatformTelEvent This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. @@ -3280,7 +3642,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3297,7 +3659,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **RebootRequired** Indicates if a reboot was required to complete the action. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3312,7 +3674,7 @@ The following fields are available: - **CachedEngineVersion** The engine DLL version that is being used. - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3328,7 +3690,7 @@ The following fields are available: - **EventInstanceID** A unique identifier for event instance. - **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **Service** The service that is being stopped/started. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.). +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.). - **StateChange** The service operation (stop/start) is being attempted. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). - **UpdateID** A unique identifier for the action being acted upon. @@ -3346,7 +3708,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **WUDeviceID** The unique identifier controlled by the software distribution client. @@ -3422,7 +3784,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3441,7 +3803,7 @@ Download process event for target update on Windows Update client (see eventscen The following fields are available: -- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded. +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. - **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. - **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. - **BiosFamily** The family of the BIOS (Basic Input Output System). @@ -3450,11 +3812,11 @@ The following fields are available: - **BiosSKUNumber** The sku number of the device BIOS. - **BIOSVendor** The vendor of the BIOS. - **BiosVersion** The version of the BIOS. -- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. - **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. - **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download. - **BundleRevisionNumber** Identifies the revision number of the content bundle. -- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle). +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). - **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. - **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. - **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. @@ -3473,7 +3835,7 @@ The following fields are available: - **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. - **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). - **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. -- **FlightId** The specific id of the flight (pre-release build) the device is getting. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. - **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). - **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). - **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. @@ -3489,10 +3851,10 @@ The following fields are available: - **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. - **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. - **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. -- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3558,7 +3920,7 @@ The following fields are available: - **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one - **ResumeCount** Number of times this active download has resumed from a suspended state - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SuspendCount** Number of times this active download has entered a suspended state - **SuspendReason** Last reason for why this active download entered a suspended state @@ -3618,7 +3980,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -3645,7 +4007,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -3666,7 +4028,7 @@ The following fields are available: - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. - **RevisionId** The revision ID for a specific piece of content. - **RevisionNumber** The revision number for a specific piece of content. -- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. - **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. - **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. @@ -3766,6 +4128,131 @@ The following fields are available: ## Update events +### Update360Telemetry.UpdateAgent_DownloadRequest + +This event sends data during the download request phase of updating Windows. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **ErrorCode** The error code returned for the current download request phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCountOptional** # of optional packages requested. +- **PackageCountRequired** # of required packages requested. +- **PackageCountTotal** Total # of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases) +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgent_FellBackToCanonical + +This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **PackageCount** The number of packages that fell back to “canonical”. +- **PackageList** PackageIDs which fell back to “canonical”. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgent_Initialize + +This event sends data during the initialize phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current initialize phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each Update Agent mode attempt . +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_Install + +This event sends data during the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest scan. +- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_Merge + +This event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgent_ModeStart + +This event sends data for the start of each mode during the process of updating Windows. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgent_SetupBoxLaunch + +This event sends data during the launching of the setup box when updating Windows. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true +- **RelatedCV** Correlation vector value generated from the latest scan. +- **SandboxSize** The size of the sandbox folder on the device. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **SessionId** Unique value for each Update Agent mode attempt. +- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize +- **UpdateId** Unique ID for each update. + + ### Update360Telemetry.UpdateAgentCommit This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. @@ -3961,6 +4448,24 @@ The following fields are available: - **Version** Version of update +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + ### Update360Telemetry.UpdateAgentPostRebootResult This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. @@ -3995,7 +4500,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each update. +- **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -4014,7 +4519,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4025,9 +4530,9 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data -- **key21** Interaction data for the UI +- **key21** UI interaction data - **key22** UI interaction data - **key23** UI interaction data - **key24** UI interaction data @@ -4036,13 +4541,13 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI +- **key4** UI interaction data - **key5** UI interaction data - **key6** UI interaction data -- **key7** Interaction data for the UI -- **key8** Interaction data for the UI +- **key7** UI interaction data +- **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. - **schema** UI interaction type. @@ -4339,6 +4844,12 @@ This event sends a summary of all the setup mitigations available for this updat +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4362,6 +4873,15 @@ The following fields are available: ## Windows as a Service diagnostic events +### Microsoft.Windows.WaaSAssessment.Error + +This event returns the name of the missing setting needed to determine the Operating System build age. + +The following fields are available: + +- **m** The WaaS (“Workspace as a Service”—cloud-based “workspace”) Assessment Error String. + + ### Microsoft.Windows.WaaSMedic.Summary This event provides the results of the WaaSMedic diagnostic run @@ -4401,14 +4921,45 @@ The following fields are available: - **versionString** Version of the WaaSMedic engine. -## Windows Store events +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Microsoft Store events ### Microsoft.Windows.Store.Partner.ReportApplication -Report application event for Windows Store client. +Report application event for Microsoft Store client. +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. @@ -4653,7 +5204,7 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare -This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. The following fields are available: @@ -4808,13 +5359,13 @@ The following fields are available: - **fileID** The ID of the file being downloaded. - **gCurMemoryStreamBytes** Current usage for memory streaming. - **gMaxMemoryStreamBytes** Maximum usage for memory streaming. -- **isVpn** Is the device connected to a Virtual Private Network? +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). - **jobID** Identifier for the Windows Update job. - **reasonCode** Reason the action or event occurred. - **scenarioID** The ID of the scenario. - **sessionID** The ID of the file download session. - **updateID** The ID of the update being downloaded. -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted @@ -4862,7 +5413,7 @@ The following fields are available: - **updateID** The ID of the update being downloaded. - **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). - **uplinkUsageBps** The upload speed (in bytes per second). -- **usedMemoryStream** Did the download use memory streaming? +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. ### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused @@ -4895,7 +5446,7 @@ The following fields are available: - **bytesRequested** Number of bytes requested for the download. - **callerName** Name of the API caller. - **cdnUrl** The URL of the source CDN. -- **clientTelId** Random number used for device selection +- **clientTelId** A random number used for device sampling. - **costFlags** A set of flags representing network cost. - **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). - **diceRoll** Random number used for determining if a client will use peering. @@ -5044,13 +5595,31 @@ This event sends data for the start of each mode during the process of updating The following fields are available: -- **flightId** Unique ID for each flight. -- **mode** The mode that is starting. -- **objectId** Unique value for each diagnostics session. -- **relatedCV** Correlation vector value generated from the latest USO scan. -- **scenarioId** Indicates the update scenario. -- **sessionId** Unique value for each update session. -- **updateId** Unique ID for each Update. +- **flightId** The unique identifier for each flight +- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit +- **objectId** Unique value for each Update Agent mode +- **relatedCV** Correlation vector value generated from the latest scan +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate +- **sessionId** Unique value for each Update Agent mode attempt +- **updateId** Unique ID for each update + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + ### Microsoft.Windows.Update.NotificationUx.RebootScheduled @@ -5071,6 +5640,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + + + ### Microsoft.Windows.Update.Orchestrator.CommitFailed This event indicates that a device was unable to restart after an update. @@ -5109,7 +5690,7 @@ The following fields are available: - **revisionNumber** Update revision number. - **updateId** Update ID. - **updateScenarioType** Device ID -- **wuDeviceid** Device ID +- **wuDeviceid** Unique device ID used by Windows Update. ### Microsoft.Windows.Update.Orchestrator.DisplayNeeded @@ -5128,6 +5709,23 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.FlightInapplicable This event indicates that the update is no longer applicable to this device. @@ -5155,6 +5753,48 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.LowUptimes This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. @@ -5168,6 +5808,35 @@ The following fields are available: - **wuDeviceid** Unique device ID for Windows Update. +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PostInstall + +This event is sent after a Windows update install completes. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **bundleId** Identifier associated with the specific content bundle. +- **bundleRevisionnumber** Identifies the revision number of the content bundle. +- **errorCode** The error code returned for the current phase. +- **eventScenario** State of update action. +- **flightID** Update session type +- **sessionType** The Windows Update session type (Interactive or Background). +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.PreShutdownStart This event is generated before the shutdown and commit operations. @@ -5177,6 +5846,181 @@ The following fields are available: - **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **errorCode** result showing success or failure of current update +- **LastApplicableUpdateFoundTime** The time when the last applicable update was found. +- **LastDownloadDeferredReason** The last reason download was deferred. +- **LastDownloadDeferredTime** The time of the download deferral. +- **LastDownloadFailureError** The last download failure. +- **LastDownloadFailureTime** The time of the last download failure. +- **LastInstallCompletedTime** The time when the last successful install completed. +- **LastInstallDeferredReason** The reason the last install was deferred. +- **LastInstallDeferredTime** The time when the last install was deferred. +- **LastInstallFailureError** The error code associated with the last install failure. +- **LastInstallFailureTime** The time when the last install failed to complete. +- **LastRebootDeferredReason** The reason the last reboot was deferred. +- **LastRebootDeferredTime** The time when the last reboot was deferred. +- **LastRebootPendingTime** The time when the last reboot state was set to “Pending”. +- **LastScanDeferredReason** The reason the last scan was deferred. +- **LastScanDeferredTime** The time when the last scan was deferred. +- **LastScanFailureError** The error code for the last scan failure. +- **LastScanFailureTime** The time when the last scan failed. +- **LastUpdateCheckTime** The time of the last update check. +- **LastUpdateDownloadTime** The time when the last update was downloaded. +- **LastUpgradeInstallFailureError** The error code for the last upgrade install failure. +- **LastUpgradeInstallFailureTime** The time of the last upgrade install failure. +- **LowUpTimeDetectTime** The last time “low up-time” was detected. +- **NoLowUpTimeDetectTime** The last time no “low up-time” was detected. +- **RebootRequired** Indicates reboot is required. +- **revisionNumber** Unique revision number of the Update +- **updateId** Unique ID for Update +- **updateState** Progress within an update state +- **UpgradeInProgressTime** The amount of time a feature update has been in progress. +- **WaaSFeatureAssessmentDays** The number of days Feature Update Assessment has been out of date. +- **WaaSFeatureAssessmentImpact** The impact of the Feature Update Assessment. +- **WaaSUpToDateAssessmentDays** The number of days Quality Update Assessment has been out of date. +- **WaaSUpToDateAssessmentImpact** The impact of Quality Update Assessment. +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5195,6 +6039,25 @@ The following fields are available: - **Reason** The reason sent which will cause the reboot to defer. +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot This event is fired the first time when the reboot is required. @@ -5213,7 +6076,7 @@ The following fields are available: ### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled -This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. The following fields are available: @@ -5230,6 +6093,32 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + ## Winlogon events ### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon @@ -5238,4 +6127,18 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index 2f0e8fbb61..c8a8b09e66 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft ms.author: brianlic -ms.date: 09/10/2018 +ms.date: 12/13/2018 --- @@ -20,7 +20,7 @@ ms.date: 09/10/2018 - Windows 10, version 1803 -The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information. +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. @@ -29,12 +29,15 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: +- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) - [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) - [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) - [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + ## Appraiser events ### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount @@ -45,37 +48,54 @@ The following fields are available: - **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. - **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. - **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. - **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. - **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. - **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. - **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. - **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. - **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. - **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. - **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. - **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. - **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. - **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. - **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. - **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. -- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. - **InventorySystemBios** The count of the number of this particular object type present on this device. - **InventoryTest** The count of the number of this particular object type present on this device. @@ -93,6 +113,7 @@ The following fields are available: - **SystemWlan** The count of SystemWlan objects present on this machine. - **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. - **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. ### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd @@ -350,6 +371,7 @@ The following fields are available: - **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. - **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. - **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. - **HardBlock** This file is blocked in the SDB. - **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? - **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? @@ -405,6 +427,7 @@ The following fields are available: - **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? - **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? - **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. - **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? - **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? - **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? @@ -446,6 +469,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. - **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? - **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? - **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? @@ -524,6 +548,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. - **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? @@ -575,6 +600,17 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. @@ -624,6 +660,7 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. - **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. - **HasBiosBlock** Does the device have a BIOS block? @@ -672,6 +709,8 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: - **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. - **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. - **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. - **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. @@ -679,6 +718,8 @@ The following fields are available: - **CompanyName** The company name of the vendor who developed this file. - **FileId** A hash that uniquely identifies a file. - **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. - **LinkDate** The date and time that this file was linked on. - **LowerCaseLongPath** The full file path to the file that was inventoried on the device. - **Name** The name of the file that was inventoried. @@ -822,6 +863,31 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove This event indicates that the InventoryUplevelDriverPackage object is no longer present. @@ -1179,6 +1245,23 @@ The following fields are available: - **AppraiserVersion** The version of the Appraiser file that is generating the events. +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + ### Microsoft.Windows.Appraiser.General.SystemWlanRemove This event indicates that the SystemWlan object is no longer present. @@ -1216,6 +1299,8 @@ The following fields are available: - **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. - **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. - **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. - **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. - **PCFP** An ID for the system calculated by hashing hardware identifiers. - **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. @@ -1292,7 +1377,7 @@ The following fields are available: - **AppraiserTaskExitCode** The Appraiser task exist code. - **AppraiserTaskLastRun** The last runtime for the Appraiser task. - **CensusVersion** The version of Census that generated the current data for this device. -- **IEVersion** Retrieves which version of Internet Explorer is running on this device. +- **IEVersion** IE version running on the device. ### Census.Battery @@ -1636,6 +1721,7 @@ The following fields are available: - **OSRolledBack** A flag that represents when a feature update has rolled back during setup. - **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . - **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. - **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. - **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). - **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. @@ -1854,6 +1940,83 @@ The following fields are available: - **ImageName** Name of file. +## Component-based Servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + ## Deployment extensions ### DeploymentTelemetry.Deployment_End @@ -1924,7 +2087,7 @@ The following fields are available: ## Diagnostic data events -### TelClientSynthetic.AuthorizationInfo_Startup +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. @@ -1943,6 +2106,40 @@ The following fields are available: - **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartbeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **LastFreeNetworkLossTime** The FILETIME at which the last free network loss occurred. +- **NetworkState** The network state of the device. +- **NoNetworkTimeSec** The total number of seconds without network during this heartbeat period. +- **RestrictedNetworkTimeSec** The total number of seconds with restricted network during this heartbeat period. + + ### TelClientSynthetic.HeartBeat_5 This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. @@ -2594,6 +2791,91 @@ The following fields are available: - **CV** Correlation vector. +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + ## Feature update events ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed @@ -2618,6 +2900,34 @@ This event sends basic metadata about the starting point of uninstalling a featu +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + ## Inventory events ### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum @@ -2693,6 +3003,18 @@ The following fields are available: - **Version** The version number of the program. +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + ### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd This event provides the basic metadata about the frameworks an application may depend on. @@ -2839,6 +3161,17 @@ The following fields are available: - **InventoryVersion** The version of the inventory file generating the events. +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + ### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. @@ -3065,6 +3398,9 @@ Indicates that this particular data object represented by the objectInstanceId i This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync @@ -3152,6 +3488,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic The following fields are available: +- **InventoryVersion** The version of the inventory binary generating the events. - **OfficeApplication** The name of the Office application. - **OfficeArchitecture** The bitness of the Office application. - **OfficeVersion** The version of the Office application. @@ -3164,6 +3501,9 @@ Indicates that this particular data object represented by the objectInstanceId i This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync @@ -3172,6 +3512,9 @@ This diagnostic event indicates that a new sync is being generated for this obje This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd @@ -3238,6 +3581,7 @@ The following fields are available: - **DuplicateVBA** Count of files with duplicate VBA code - **HasVBA** Count of files with VBA code - **Inaccessible** Count of files that were inaccessible for scanning +- **InventoryVersion** The version of the inventory binary generating the events. - **Issues** Count of files with issues detected - **Issues_x64** Count of files with 64-bit issues detected - **IssuesNone** Count of files with no issues detected @@ -3289,6 +3633,9 @@ This event indicates that a new sync is being generated for this object type. This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync @@ -3438,6 +3785,111 @@ The following fields are available: - **UptimeDeltaMS** Total time (in milliseconds) added to Uptime since the last event +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -3452,21 +3904,358 @@ The following fields are available: - **userOobeExitReason** The exit reason of the privacy consent experience +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentPrep + +This event is used to determine whether the user needs to see the privacy consent experience or not. + +The following fields are available: + +- **s0** Indicates the error level encountered during Privacy Consent Preparation. See [Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity](#microsoftwindowsshellprivacyconsentloggingwilactivity). +- **wilActivity** Information of the thread where the error occurred (thread ID). See [wilActivity](#wilactivity). + + ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus Event tells us effectiveness of new privacy experience. The following fields are available: -- **isAdmin** whether the person who is logging in is an admin +- **isAdmin** Whether the current user is an administrator or not - **isLaunching** Whether or not the privacy consent experience will be launched -- **isSilentElevation** whether the user has most restrictive UAC controls -- **privacyConsentState** whether the user has completed privacy experience +- **isSilentElevation** Whether the current user has enabled silent elevation +- **privacyConsentState** The current state of the privacy consent experience - **userRegionCode** The current user's region setting +### Microsoft.Windows.Shell.PrivacyConsentLogging.wilActivity + +This event returns information if an error is encountered while computing whether the user needs to complete privacy consents in certain upgrade scenarios. + +The following fields are available: + +- **callContext** A list of Windows Diagnostic activities/events containing this error. +- **currentContextId** The ID for the newest activity/event containing this error. +- **currentContextMessage** Any custom message for the activity context. +- **currentContextName** The name of the newest activity/event context containing this error. +- **failureType** The type of failure observed: exception, returned error, etc. +- **fileName** The name of the fine in which the error was encountered. +- **hresult** The Result Code of the error. +- **lineNumber** The line number where the error was encountered. +- **message** Any message associated with the error. +- **module** The name of the binary module where the error was encountered. +- **originatingContextId** The ID of the oldest telemetry activity containing this error. +- **originatingContextMessage** Any custom message associated with the oldest Windows Diagnostic activity/event containing this error. +- **originatingContextName** The name associated with the oldest Windows Diagnostic activity/event containing this error. +- **threadId** The ID of the thread the activity was run on. + + +## Remediation events + +### Microsoft.Windows.Remediation.Applicable + +This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date. + +The following fields are available: + +- **ActionName** The name of the action to be taken by the plug-in. +- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid. +- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check. +- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid. +- **AppraiserTaskDisabled** Indicates the appraiser task is disabled. +- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention. +- **CV** Correlation vector +- **DateTimeDifference** The difference between local and reference clock times. +- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled. +- **DaysSinceLastSIH** The number of days since the most recent SIH executed. +- **DaysToNextSIH** The number of days until the next scheduled SIH execution. +- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run. +- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed. +- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed. +- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system. +- **HResult** The HRESULT for detection or perform action phases of the plugin. +- **IsAppraiserLatestResult** The HRESULT from the appraiser task. +- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected. +- **LastHresult** The HRESULT for detection or perform action phases of the plugin. +- **LastRun** The date of the most recent SIH run. +- **NextRun** Date of the next scheduled SIH run. +- **PackageVersion** The version of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Reload** True if SIH reload is required. +- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine. +- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started. +- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled. +- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists. +- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task. +- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran. +- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder. +- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed. +- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run. +- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network. +- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled. +- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists. +- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger. +- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task. +- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in. +- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin. +- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled. +- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS. +- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager). +- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely. +- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix. +- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task. +- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task. +- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task. +- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task. +- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task. +- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task. +- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task. +- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task. +- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled. +- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled. +- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled. +- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled. +- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled. +- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled. +- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled. +- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled. +- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled. +- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled. +- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled. +- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled. +- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled. +- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. +- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly. +- **RunTask** TRUE if SIH task should be run by the plug-in. +- **TimeServiceNTPServer** The URL for the NTP time server used by device. +- **TimeServiceStartType** The startup type for the NTP time service. +- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock. +- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device. + + +### Microsoft.Windows.Remediation.ChangePowerProfileDetection + +Indicates whether the remediation system can put in a request to defer a system-initiated sleep to enable installation of security or quality updates. + +The following fields are available: + +- **ActionName** A descriptive name for the plugin action +- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device +- **CV** Correlation vector +- **GlobalEventCounter** Counter that indicates the ordering of events on the device +- **PackageVersion** Current package version of remediation service +- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0) +- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update +- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit. +- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates +- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues +- **SetupMutexAvailable** Result that shows whether setup mutex is available or not +- **SysPowerStatusAC** Result that shows whether system is on AC power or not + + +### Microsoft.Windows.Remediation.Completed + +This event enables completion tracking of a process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **ActionName** Name of the action to be completed by the plug-in. +- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully. +- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully. +- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully. +- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully. +- **AppraiserTaskMissing** TRUE if the Appraiser task is missing. +- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully. +- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully. +- **branchReadinessLevel** Branch readiness level policy. +- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings. +- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded. +- **CV** The Correlation Vector. +- **DateTimeDifference** The difference between the local and reference clocks. +- **DaysSinceOsInstallation** The number of days since the installation of the Operating System. +- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes. +- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes. +- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes. +- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in. +- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user. +- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes. +- **hasRolledBack** Indicates whether the client machine has rolled back. +- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS. +- **hResult** The result of the event execution. +- **HResult** The result of the event execution. +- **installDate** The value of installDate registry key. Indicates the install date. +- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS. +- **LatestState** The final state of the plug-in component. +- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in. +- **PackageVersion** The package version for the current Remediation. +- **PageFileCount** The number of Windows Page files. +- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes. +- **PageFileLocation** The storage location (directory path) of the Windows Page file. +- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes. +- **PluginName** The name of the plug-in specified for each generic plug-in event. +- **RanCleanup** TRUE if the plug-in ran disk cleanup. +- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation. +- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power. +- **RemediationBatteryPowerOnBattery** True if we allow execution on battery. +- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully. +- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully. +- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully. +- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes. +- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes. +- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes. +- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes. +- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes. +- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified. +- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value. +- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key. +- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted. +- **RemediationDUABuildNumber** The build number of the DUA. +- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted. +- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated. +- **remediationExecution** Remediation shell is in "applying remediation" state. +- **RemediationHibernationMigrated** TRUE if hibernation was migrated. +- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded. +- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated. +- **RemediationNoisyHammerTaskFixSuccessId** Indicates whether the Update Assistant task fix was successful. +- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully. +- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried. +- **RemediationRanHibernation** TRUE if the system entered Hibernation. +- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded. +- **RemediationShellHasUpgraded** TRUE if the device upgraded. +- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins. +- **RemediationShellRunFromService** TRUE if the shell driver was run from the service. +- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session. +- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds. +- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation. +- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in. +- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in. +- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in. +- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes. +- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes. +- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes. +- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more. +- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes. +- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes. +- **Result** The HRESULT for Detection or Perform Action phases of the plug-in. +- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in. +- **ServiceHardeningExitCode** The exit code returned by Windows Service Repair. +- **ServiceHealthEnabledBitMap** List of services updated by the plugin. +- **ServiceHealthInstalledBitMap** List of services installed by the plugin. +- **ServiceHealthPlugin** The nae of the Service Health plug-in. +- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully. +- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs. +- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot. +- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes. +- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Microsoft Store cache after cleanup, measured in Megabytes. +- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Microsoft Store cache (prior to cleanup), measured in Megabytes. +- **uninstallActive** TRUE if previous uninstall has occurred for current OS +- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan. +- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set. +- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set. +- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set. +- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans. +- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network. +- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present. +- **usoScanIsUserLoggedOn** TRUE if the user is logged on. +- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late). +- **usoScanType** The type of USO (Update Session Orchestrator) scan: "Interactive" or "Background". +- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key. +- **windowsEditionId** Event to report the value of Windows Edition ID. +- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes. +- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes. +- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes. +- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes. +- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes. +- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes. +- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes. +- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes. +- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes. +- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key. + + +### Microsoft.Windows.Remediation.RemediationShellMainExeEventId + +Enables tracking of completion of process that remediates issues preventing security and quality updates. + +The following fields are available: + +- **CV** Client side counter which indicates ordering of events sent by the remediation system. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system. +- **PackageVersion** Current package version of Remediation. +- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running. +- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors. +- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly. +- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly. +- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly. + + +### Microsoft.Windows.Remediation.Started + +This event reports whether a plug-in started, to help ensure Windows is up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **RunCount** The number of times the remediation event started (whether it completed successfully or not). + + ## Sediment events +### Microsoft.Windows.Sediment.Info.DetailedState + +This event is sent when detailed state information is needed from an update trial run. + +The following fields are available: + +- **Data** Data relevant to the state, such as what percent of disk space the directory takes up. +- **Id** Identifies the trial being run, such as a disk related trial. +- **ReleaseVer** The version of the component. +- **State** The state of the reporting data from the trial, such as the top-level directory analysis. +- **Time** The time the event was fired. + + +### Microsoft.Windows.Sediment.Info.Error + +This event indicates an error in the updater payload. This information assists in keeping Windows up to date. + + + +### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings + +This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date. + +The following fields are available: + +- **CustomVer** The registry value for targeting. +- **IsMetered** TRUE if the machine is on a metered network. +- **LastVer** The version of the last successful run. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + +### Microsoft.Windows.Sediment.OSRSS.Error + +This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful. + +The following fields are available: + +- **FailureType** The type of error encountered. +- **FileName** The code file in which the error occurred. +- **HResult** The failure error code. +- **LineNumber** The line number in the code file at which the error occurred. +- **ServiceVersionMajor** The Major version information of the component. +- **ServiceVersionMinor** The Minor version information of the component. +- **Time** The system time at which the event occurred. + + ### Microsoft.Windows.Sediment.OSRSS.UrlState This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL. @@ -3481,8 +4270,128 @@ The following fields are available: - **Time** System timestamp when the event was started. +### Microsoft.Windows.SedimentLauncher.Applicable + +Indicates whether a given plugin is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Boolean true if detect condition is true and perform action will be run. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings. +- **IsSelfUpdateNeeded** True if self update needed by device. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentLauncher.Completed + +Indicates whether a given plugin has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher. + + +### Microsoft.Windows.SedimentLauncher.Started + +This event indicates that a given plug-in has started. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Applicable + +This event indicates whether a given plug-in is applicable. + +The following fields are available: + +- **CV** Correlation vector. +- **DetectedCondition** Determine whether action needs to run based on device properties. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings. +- **IsSelfUpdateNeeded** Indicates if self update is needed. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. + + +### Microsoft.Windows.SedimentService.Completed + +This event indicates whether a given plug-in has completed its work. + +The following fields are available: + +- **CV** Correlation vector. +- **FailedReasons** List of reasons when the plugin action failed. +- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user. +- **PackageVersion** Current package version of Remediation. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for detection or perform action phases of the plugin. +- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded. +- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe. +- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService). +- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service. +- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call). +- **SedimentServiceStopping** True/False indicating whether the service is stopping. +- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run. +- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again. + + +### Microsoft.Windows.SedimentService.Started + +This event indicates a specified plug-in has started. This information helps ensure Windows is up to date. + +The following fields are available: + +- **CV** The Correlation Vector. +- **GlobalEventCounter** The client-side counter that indicates ordering of events. +- **PackageVersion** The version number of the current remediation package. +- **PluginName** Name of the plugin specified for each generic plugin event. +- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin. + + ## Setup events +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + ### SetupPlatformTel.SetupPlatformTelEvent This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. @@ -3584,7 +4493,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it. - **IsExecutingAction** If the action is presently being executed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it. - **StatusCode** Result code of the event (success, cancellation, failure code HResult). @@ -3606,7 +4515,7 @@ The following fields are available: - **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. - **FailedParseActions** The list of actions that were not successfully parsed. - **ParsedActions** The list of actions that were successfully parsed. -- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.) +- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Microsoft Store, etc.) - **SihclientVersion** The client version that is being used. - **WuapiVersion** The Windows Update API version that is currently installed. - **WuaucltVersion** The Windows Update client version that is currently installed. @@ -3686,7 +4595,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **ScanDurationInSeconds** The number of seconds a scan took - **ScanEnqueueTime** The number of seconds it took to initialize a scan -- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). - **ServiceUrl** The environment URL a device is configured to scan with - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). @@ -3722,7 +4631,7 @@ The following fields are available: - **FlightId** The specific id of the flight the device is getting - **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) - **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) - **SystemBIOSMajorRelease** Major release version of the system bios - **SystemBIOSMinorRelease** Minor release version of the system bios - **UpdateId** Identifier associated with the specific piece of content @@ -3785,7 +4694,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. - **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. - **RevisionNumber** Identifies the revision number of this specific piece of content. -- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). @@ -3906,7 +4815,7 @@ The following fields are available: - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one - **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. - **RevisionNumber** The revision number of this specific piece of content. -- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). - **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. - **ShippingMobileOperator** The mobile operator that a device shipped on. - **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). @@ -3932,7 +4841,7 @@ The following fields are available: - **IntentPFNs** Intended application-set metadata for atomic update scenarios. - **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. - **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. -- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.). +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). - **WUDeviceID** The unique device ID controlled by the software distribution client. @@ -3943,32 +4852,49 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether The following fields are available: - **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. -- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. -- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. -- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. -- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed. +- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments. +- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed. +- **ExtendedStatusCode** The secondary status code of the event. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. - **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. -- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce -- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id) +- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). - **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable. - **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. -- **RevisionId** Identifies the revision of this specific piece of content -- **RevisionNumber** Identifies the revision number of this specific piece of content -- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc) +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store - **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. -- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. -- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob -- **SignatureAlgorithm** Hash algorithm for the metadata signature -- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". -- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob. +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast +- **StatusCode** The status code of the event. - **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token. -- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. -- **UpdateId** Identifier associated with the specific piece of content +- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed. +- **UpdateId** The update ID for a specific piece of content. - **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp. ## Update events +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + ### Update360Telemetry.UpdateAgentCommit This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. @@ -3998,6 +4924,7 @@ The following fields are available: - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. @@ -4104,6 +5031,52 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + ### Update360Telemetry.UpdateAgentModeStart This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. @@ -4120,6 +5093,24 @@ The following fields are available: - **Version** Version of update +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + ### Update360Telemetry.UpdateAgentPostRebootResult This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. @@ -4136,6 +5127,12 @@ The following fields are available: - **UpdateId** Unique ID for each update. +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + + + ### Update360Telemetry.UpdateAgentSetupBoxLaunch The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. @@ -4153,7 +5150,7 @@ The following fields are available: - **ScenarioId** Indicates the update scenario. - **SessionId** Unique value for each update attempt. - **SetupMode** Mode of setup to be launched. -- **UpdateId** Unique ID for each update. +- **UpdateId** Unique ID for each Update. - **UserSession** Indicates whether install was invoked by user actions. @@ -4172,7 +5169,7 @@ The following fields are available: - **CV** Correlation vector. - **DetectorVersion** Most recently run detector version for the current campaign. - **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user. -- **key1** Interaction data for the UI +- **key1** UI interaction data - **key10** UI interaction data - **key11** UI interaction data - **key12** UI interaction data @@ -4183,9 +5180,9 @@ The following fields are available: - **key17** UI interaction data - **key18** UI interaction data - **key19** UI interaction data -- **key2** Interaction data for the UI +- **key2** UI interaction data - **key20** UI interaction data -- **key21** Interaction data for the UI +- **key21** UI interaction data - **key22** UI interaction data - **key23** UI interaction data - **key24** UI interaction data @@ -4194,13 +5191,13 @@ The following fields are available: - **key27** UI interaction data - **key28** UI interaction data - **key29** UI interaction data -- **key3** Interaction data for the UI +- **key3** UI interaction data - **key30** UI interaction data -- **key4** Interaction data for the UI +- **key4** UI interaction data - **key5** UI interaction data - **key6** UI interaction data -- **key7** Interaction data for the UI -- **key8** Interaction data for the UI +- **key7** UI interaction data +- **key8** UI interaction data - **key9** UI interaction data - **PackageVersion** Current package version of the update notification. - **schema** UI interaction type. @@ -4314,6 +5311,7 @@ The following fields are available: - **DownloadRequestAttributes** The attributes we send to DCAT. - **ResultCode** The result returned from the initialization of Facilitator with the URL/attributes. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. - **Version** Version of Facilitator. @@ -4376,7 +5374,7 @@ The following fields are available: - **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. - **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. - **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. -- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. - **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). - **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. - **TestId** ID that uniquely identifies a group of events. @@ -4520,10 +5518,72 @@ The following fields are available: - **ReportId** ID for tying together events stream side. - **ResultCode** Result returned by setup for the entire operation. - **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. - **TargetBranch** Branch of the target OS. - **TargetBuild** Build of the target OS. +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + ### Setup360Telemetry.UnexpectedEvent This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. @@ -4570,6 +5630,26 @@ The following fields are available: - **versionString** Version of the WaaSMedic engine. +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + ## Windows Error Reporting MTT events ### Microsoft.Windows.WER.MTT.Denominator @@ -4595,7 +5675,18 @@ The following fields are available: - **PertProb** Constant used in algorithm for randomization. -## Windows Store events +## Microsoft Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + +The following fields are available: + +- **correlationVectorRoot** Identifies multiple events within a session/sequence. Initial value before incrementation or extension. +- **protocolUri** Protocol URI used to activate the store. +- **reason** The reason for activating the store. + ### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation @@ -4620,7 +5711,7 @@ The following fields are available: - **ProductId** The identity of the package or packages being installed. - **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. - **UserAttemptNumber** The total number of user attempts at installation before it was canceled. -- **WUContentId** Licensing identity of this package. +- **WUContentId** The Windows Update content ID. ### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds @@ -4771,7 +5862,7 @@ The following fields are available: - **ProductId** The Store Product ID for the product being installed. - **SystemAttemptNumber** The total number of system attempts. - **UserAttemptNumber** The total number of user attempts. -- **WUContentId** The Windows Update content ID. +- **WUContentId** Licensing identity of this package. ### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates @@ -4841,7 +5932,7 @@ The following fields are available: ### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare -This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure. +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. The following fields are available: @@ -5023,7 +6114,7 @@ The following fields are available: - **current** Result of currency check. - **dismOperationSucceeded** Dism uninstall operation status. -- **hResult** Failure error code. +- **hResult** Failure Error code. - **oSVersion** Build number of the device. - **paused** Indicates whether the device is paused. - **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status. @@ -5058,6 +6149,107 @@ This event sends basic telemetry on the success of the rollback of the Quality/L ## Windows Update Delivery Optimization events +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **callerName** Name of the API caller. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **callerName** Name of the API caller. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **callerName** The name of the API caller. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **scenarioID** The ID of the scenario. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + ### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. @@ -5097,6 +6289,42 @@ The following fields are available: - **usedMemoryStream** Indicates whether the download used memory streaming. +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + ## Windows Update events ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary @@ -5106,21 +6334,21 @@ This event collects information regarding the state of devices and drivers on th The following fields are available: - **activated** Whether the entire device manifest update is considered activated and in use. -- **analysisErrorCount** How many driver packages could not be analyzed because errors were hit during the analysis. +- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis. - **flightId** Unique ID for each flight. -- **missingDriverCount** How many driver packages that were delivered by the device manifest are missing from the system. -- **missingUpdateCount** How many updates that were part of the device manifest are missing from the system. +- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system. +- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system. - **objectId** Unique value for each diagnostics session. -- **publishedCount** How many drivers packages that were delivered by the device manifest are published and available to be used on devices. +- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices. - **relatedCV** Correlation vector value generated from the latest USO scan. - **scenarioId** Indicates the update scenario. - **sessionId** Unique value for each update session. -- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match. +- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on. - **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. -- **truncatedDeviceCount** How many devices are missing from the summary string because there is not enough room in the string. -- **truncatedDriverCount** How many driver packages are missing from the summary string because there is not enough room in the string. +- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string. +- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string. - **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. -- **updateId** Unique ID for each update. +- **updateId** Unique ID for each Update. ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit @@ -5443,7 +6671,7 @@ The following fields are available: - **displayNeededReason** List of reasons for needing display. - **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). -- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).. - **gameModeReason** Name of the executable that caused the game mode state check to start. - **ignoredReason** List of reasons that were intentionally ignored. - **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery). @@ -5462,7 +6690,7 @@ The following fields are available: - **deferReason** Reason why the device could not check for updates. - **detectionBlockingPolicy** State of update action. -- **detectionBlockreason** Reason for blocking detection +- **detectionBlockreason** State of update action - **detectionRetryMode** Indicates whether we will try to scan again. - **errorCode** Error info - **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. @@ -5472,7 +6700,7 @@ The following fields are available: - **revisionNumber** Update revision number. - **scanTriggerSource** Source of the triggered scan. - **updateId** Update ID. -- **updateScenarioType** Source of the triggered scan +- **updateScenarioType** Device ID - **wuDeviceid** Device ID @@ -5557,7 +6785,7 @@ This event is sent during update scan, download, or install, and indicates that The following fields are available: -- **configVersion** Escalation config version on device . +- **configVersion** Escalation config version on device. - **downloadElapsedTime** Indicates how long since the download is required on device. - **downloadRiskLevel** At-risk level of download phase. - **installElapsedTime** Indicates how long since the install is required on device. @@ -5585,7 +6813,7 @@ This event indicates that the update is no longer applicable to this device. The following fields are available: -- **EventPublishedTime** Time when this event was generated +- **EventPublishedTime** Time when this event was generated. - **flightID** The specific ID of the Windows Insider build. - **revisionNumber** Update revision number. - **updateId** Unique Windows Update ID. @@ -5633,7 +6861,7 @@ The following fields are available: - **deferReason** Reason for install not completing. - **errorCode** The error code reppresented by a hexadecimal value. - **eventScenario** End-to-end update session ID. -- **flightID** The specific ID of the Windows Insider build the device is getting. +- **flightID** Unique update ID - **flightUpdate** Indicates whether the update is a Windows Insider build. - **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. - **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. @@ -5648,6 +6876,31 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + ### Microsoft.Windows.Update.Orchestrator.PostInstall This event is sent after a Windows update install completes. @@ -5723,6 +6976,18 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. @@ -5819,6 +7084,76 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.USODiagnostics + +This event sends data on whether the state of the update attempt, to help keep Windows up to date. + +The following fields are available: + +- **LastApplicableUpdateFoundTime** The time when the last applicable update was found. +- **LastDownloadDeferredReason** The last reason download was deferred. +- **LastDownloadDeferredTime** The time of the download deferral. +- **LastDownloadFailureError** The last download failure. +- **LastDownloadFailureTime** The time of the last download failure. +- **LastInstallCompletedTime** The time when the last successful install completed. +- **LastInstallDeferredReason** The reason the last install was deferred. +- **LastInstallDeferredTime** The time when the last install was deferred. +- **LastInstallFailureError** The error code associated with the last install failure. +- **LastInstallFailureTime** The time when the last install failed to complete. +- **LastRebootDeferredReason** The reason the last reboot was deferred. +- **LastRebootDeferredTime** The time when the last reboot was deferred. +- **LastRebootPendingTime** The time when the last reboot state was set to “Pending”. +- **LastScanDeferredReason** The reason the last scan was deferred. +- **LastScanDeferredTime** The time when the last scan was deferred. +- **LastScanFailureError** The error code for the last scan failure. +- **LastScanFailureTime** The time when the last scan failed. +- **LastUpdateCheckTime** The time of the last update check. +- **LastUpdateDownloadTime** The time when the last update was downloaded. +- **LastUpgradeInstallFailureError** The error code for the last upgrade install failure. +- **LastUpgradeInstallFailureTime** The time of the last upgrade install failure. +- **LowUpTimeDetectTime** The last time “low up-time” was detected. +- **NoLowUpTimeDetectTime** The last time no “low up-time” was detected. +- **RebootRequired** Indicates reboot is required. +- **UpgradeInProgressTime** The amount of time a feature update has been in progress. +- **WaaSFeatureAssessmentDays** The number of days Feature Update Assessment has been out of date. +- **WaaSFeatureAssessmentImpact** The impact of the Feature Update Assessment. +- **WaaSUpToDateAssessmentDays** The number of days Quality Update Assessment has been out of date. +- **WaaSUpToDateAssessmentImpact** The impact of Quality Update Assessment. +- **wuDeviceid** Unique ID for Device + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded This event is sent when a security update has successfully completed. @@ -5853,7 +7188,7 @@ The following fields are available: - **scheduledRebootTime** Time scheduled for the reboot. - **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. - **updateId** Identifies which update is being scheduled. -- **wuDeviceid** Unique device ID used by Windows Update. +- **wuDeviceid** Unique DeviceID ### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot @@ -5868,8 +7203,27 @@ This event is sent when MUSE broker schedules a task. The following fields are available: -- **TaskArgument** The arguments which the task is scheduled with -- **TaskName** Name of the task +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. ## Windows Update mitigation events @@ -5880,21 +7234,21 @@ This event sends data specific to the CleanupSafeOsImages mitigation used for OS The following fields are available: -- **ClientId** Unique identifier for each flight. -- **FlightId** Unique GUID that identifies each instances of setuphost.exe. -- **InstanceId** The update scenario in which the mitigation was executed. -- **MitigationScenario** Number of mounted images. -- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT. -- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. -- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. -- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT. -- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan. -- **RelatedCV** HResult of this operation. -- **Result** ID indicating the mitigation scenario. -- **ScenarioId** Indicates whether the scenario was supported. -- **ScenarioSupported** Unique value for each update attempt. -- **SessionId** Unique ID for each Update. -- **UpdateId** Unique ID for the Windows Update client. +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. @@ -5951,4 +7305,34 @@ This event signals the completion of the setup process. It happens only once dur +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md new file mode 100644 index 0000000000..639c8005ed --- /dev/null +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -0,0 +1,7158 @@ +--- +description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. +title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) +keywords: privacy, telemetry +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: brianlic-msft +ms.author: brianlic +ms.date: 12/13/2018 +--- + + +# Windows 10, version 1809 basic level Windows diagnostic events and fields + + **Applies to** + +- Windows 10, version 1809 + + +The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. + +The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems. + +Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. + +You can learn more about Windows functional and diagnostic data through these articles: + + +- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) +- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) +- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md) +- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) +- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) + + + + +## Account trace logging provider events + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.General + +This event provides information about application properties to indicate the successful execution. + +The following fields are available: + +- **AppMode** Indicates the mode the app is being currently run around privileges. +- **ExitCode** Indicates the exit code of the app. +- **Help** Indicates if the app needs to be launched in the help mode. +- **ParseError** Indicates if there was a parse error during the execution. +- **RightsAcquired** Indicates if the right privileges were acquired for successful execution. +- **RightsWereEnabled** Indicates if the right privileges were enabled for successful execution. +- **TestMode** Indicates whether the app is being run in test mode. + + +### Microsoft.Windows.Mitigation.AccountTraceLoggingProvider.GetCount + +This event provides information about the properties of user accounts in the Administrator group. + +The following fields are available: + +- **Internal** Indicates the internal property associated with the count group. +- **LastError** The error code (if applicable) for the cause of the failure to get the count of the user account. +- **Result** The HResult error. + + +## AppLocker events + +### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically + +Automatically closed activity for start/stop operations that aren't explicitly closed. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddParams + +Parameters passed to Add function of the AppLockerCSP Node. + +The following fields are available: + +- **child** The child URI of the node to add. +- **uri** URI of the node relative to %SYSTEM32%/AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.AddStart + +Start of "Add" Operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.AddStop + +End of "Add" Operation for AppLockerCSP Node. + +The following fields are available: + +- **hr** The HRESULT returned by Add function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback + +Result of the 'Rollback' operation in AppLockerCSP. + +The following fields are available: + +- **oldId** Previous id for the CSP transaction. +- **txId** Current id for the CSP transaction. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearParams + +Parameters passed to the "Clear" operation for AppLockerCSP. + +The following fields are available: + +- **uri** The URI relative to the %SYSTEM32%\AppLocker folder. + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStart + +Start of the "Clear" operation for the AppLockerCSP Node. + + + +### Microsoft.Windows.Security.AppLockerCSP.ClearStop + +End of the "Clear" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT reported at the end of the 'Clear' function. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart + +Start of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **NotifyState** State sent by ConfigManager to AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop + +End of the "ConfigManagerNotification" operation for AppLockerCSP. + +The following fields are available: + +- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams + +Parameters passed to the CreateNodeInstance function of the AppLockerCSP node. + +The following fields are available: + +- **NodeId** NodeId passed to CreateNodeInstance. +- **nodeOps** NodeOperations parameter passed to CreateNodeInstance. +- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart + +Start of the "CreateNodeInstance" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop + +End of the "CreateNodeInstance" operation for the AppLockerCSP node + +The following fields are available: + +- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams + +Parameters passed to the DeleteChild function of the AppLockerCSP node. + +The following fields are available: + +- **child** The child URI of the node to delete. +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart + +Start of the "DeleteChild" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop + +End of the "DeleteChild" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies + +Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams + +Parameters passed to the GetChildNodeNames function of the AppLockerCSP node. + +The following fields are available: + +- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node. + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart + +Start of the "GetChildNodeNames" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop + +End of the "GetChildNodeNames" operation for the AppLockerCSP node. + +The following fields are available: + +- **child[0]** If function succeeded, the first child's name, else "NA". +- **count** If function succeeded, the number of child node names returned by the function, else 0. +- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.GetLatestId + +The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID). + +The following fields are available: + +- **dirId** The latest directory identifier found by GetLatestId. +- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter. + + +### Microsoft.Windows.Security.AppLockerCSP.HResultException + +HRESULT thrown by any arbitrary function in AppLockerCSP. + +The following fields are available: + +- **file** File in the OS code base in which the exception occurs. +- **function** Function in the OS code base in which the exception occurs. +- **hr** HRESULT that is reported. +- **line** Line in the file in the OS code base in which the exception occurs. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueParams + +Parameters passed to the SetValue function of the AppLockerCSP node. + +The following fields are available: + +- **dataLength** Length of the value to set. +- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker. + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStart + +Start of the "SetValue" operation for the AppLockerCSP node. + + + +### Microsoft.Windows.Security.AppLockerCSP.SetValueStop + +End of the "SetValue" operation for the AppLockerCSP node. + +The following fields are available: + +- **hr** HRESULT returned by the SetValue function in AppLockerCSP. + + +### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies + +EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed. + +The following fields are available: + +- **uri** URI for node relative to %SYSTEM32%/AppLocker. + + +## Appraiser events + +### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount + +This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client. + +The following fields are available: + +- **DatasourceApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers. +- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device. +- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device. +- **DatasourceDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device. +- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device. +- **DatasourceDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19ASetup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_19H1Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device. +- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device. +- **DatasourceSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_RS5Setup** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. +- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device. +- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device. +- **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device. +- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device. +- **DecisionDevicePnp_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device. +- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device. +- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device. +- **DecisionDriverPackage_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device. +- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device. +- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_19H1Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device. +- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device. +- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device. +- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device. +- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19ASetup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_19H1Setup** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device. +- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device. +- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device. +- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_RS5Setup** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device. +- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19ASetup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_19H1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_19H1Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device. +- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device. +- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS3Setup** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device. +- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_RS5Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device. +- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. +- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **InventoryApplicationFile** The count of the number of this particular object type present on this device. +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryLanguagePack** The count of the number of this particular object type present on this device. +- **InventoryMediaCenter** The count of the number of this particular object type present on this device. +- **InventorySystemBios** The count of the number of this particular object type present on this device. +- **InventoryTest** The count of the number of this particular object type present on this device. +- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device. +- **PCFP** The count of the number of this particular object type present on this device. +- **SystemMemory** The count of the number of this particular object type present on this device. +- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device. +- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device. +- **SystemProcessorNx** The count of the number of this particular object type present on this device. +- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device. +- **SystemProcessorSse2** The count of the number of this particular object type present on this device. +- **SystemTouch** The count of the number of this particular object type present on this device. +- **SystemWim** The count of the number of this particular object type present on this device. +- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device. +- **SystemWlan** The count of the number of this particular object type present on this device. +- **Wmdrm_19ASetup** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1** The count of the number of this particular object type present on this device. +- **Wmdrm_19H1Setup** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device. +- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device. +- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device. +- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5** The count of the number of this particular object type present on this device. +- **Wmdrm_RS5Setup** The count of the number of this particular object type present on this device. +- **Wmdrm_TH1** The count of the number of this particular object type present on this device. +- **Wmdrm_TH2** The count of the number of this particular object type present on this device. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd + +Represents the basic metadata about specific application files installed on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **AvDisplayName** If the app is an anti-virus app, this is its display name. +- **CompatModelIndex** The compatibility prediction for this file. +- **HasCitData** Indicates whether the file is present in CIT data. +- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file. +- **IsAv** Is the file an anti-virus reporting EXE? +- **ResolveAttempted** This will always be an empty string when sending telemetry. +- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove + +This event indicates that the DatasourceApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync + +This event indicates that a new set of DatasourceApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd + +This event sends compatibility data for a Plug and Play device, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **ActiveNetworkConnection** Indicates whether the device is an active network device. +- **AppraiserVersion** The version of the appraiser file generating the events. +- **IsBootCritical** Indicates whether the device boot is critical. +- **UplevelInboxDriver** Indicates whether there is a driver uplevel for this device. +- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update. +- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver. +- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove + +This event indicates that the DatasourceDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync + +This event indicates that a new set of DatasourceDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd + +This event sends compatibility database data about driver packages to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync + +This event indicates that a new set of DatasourceDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd + +This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove + +This event indicates that the DataSourceMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync + +This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd + +This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove + +This event indicates that the DataSourceMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync + +This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd + +This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd + +This event sends compatibility database information about the BIOS to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove + +This event indicates that the DatasourceSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync + +This event indicates that a new set of DatasourceSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd + +This event sends compatibility decision data about a file to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file that is generating the events. +- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS. +- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question. +- **DisplayGenericMessage** Will be a generic message be shown for this file? +- **DisplayGenericMessageGated** Indicates whether a generic message be shown for this file. +- **HardBlock** This file is blocked in the SDB. +- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB? +- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode? +- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade? +- **NeedsDismissAction** Will the file cause an action that can be dimissed? +- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app. +- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade? +- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app. +- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade. +- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB, +- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade. +- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed. +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade. +- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade. +- **SoftBlock** The file is softblocked in the SDB and has a warning. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove + +This event indicates Indicates that the DecisionApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync + +This event indicates that a new set of DecisionApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd + +This event sends compatibility decision data about a PNP device to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked? +- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate? +- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked? +- **BlockingDevice** Is this PNP device blocking upgrade? +- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS? +- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device? +- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device? +- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device. +- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device? +- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update? +- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device? +- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden? +- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device? +- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS? +- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade? +- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove + +This event indicates that the DecisionDevicePnp object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync + +The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd + +This event sends decision data about driver package compatibility to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for this driver package. +- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? +- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block? +- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block? +- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade? +- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden? + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove + +This event indicates that the DecisionDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync + +This event indicates that a new set of DecisionDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd + +This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the appraiser file generating the events. +- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessage** Will a generic message be shown for this block? +- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block? +- **SdbBlockUpgrade** Is a matching info block blocking upgrade? +- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag? +- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove + +This event indicates that the DecisionMatchingInfoBlock object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync + +This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd + +This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown due to matching info blocks. +- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync + +This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd + +This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app? +- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade? +- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app? +- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync + +This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd + +This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center? +- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true? +- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use? +- **MediaCenterInUse** Is Windows Media Center actively being used? +- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition? +- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove + +This event indicates that the DecisionMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync + +This event indicates that a new set of DecisionMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd + +This event sends compatibility decision data about the BIOS to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device blocked from upgrade due to a BIOS block? +- **DisplayGenericMessageGated** Indicates whether a generic offer block message will be shown for the bios. +- **HasBiosBlock** Does the device have a BIOS block? + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove + +This event indicates that the DecisionSystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync + +This event indicates that a new set of DecisionSystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.GatedRegChange + +This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date. + +The following fields are available: + +- **NewData** The data in the registry value after the scan completed. +- **OldData** The previous data in the registry value before the scan ran. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **RegKey** The registry key name for which a result is being sent. +- **RegValue** The registry value for which a result is being sent. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd + +This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **AvDisplayName** If the app is an antivirus app, this is its display name. +- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date. +- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64. +- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets. +- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets. +- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata. +- **CompanyName** The company name of the vendor who developed this file. +- **FileId** A hash that uniquely identifies a file. +- **FileVersion** The File version field from the file metadata under Properties -> Details. +- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file. +- **IsAv** Indicates whether the file an antivirus reporting EXE. +- **LinkDate** The date and time that this file was linked on. +- **LowerCaseLongPath** The full file path to the file that was inventoried on the device. +- **Name** The name of the file that was inventoried. +- **ProductName** The Product name field from the file metadata under Properties -> Details. +- **ProductVersion** The Product version field from the file metadata under Properties -> Details. +- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it. +- **Size** The size of the file (in hexadecimal bytes). + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove + +This event indicates that the InventoryApplicationFile object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync + +This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd + +This event sends data about the number of language packs installed on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **HasLanguagePack** Indicates whether this device has 2 or more language packs. +- **LanguagePackCount** The number of language packs are installed. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove + +This event indicates that the InventoryLanguagePack object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync + +This event indicates that a new set of InventoryLanguagePackAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd + +This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **EverLaunched** Has Windows Media Center ever been launched? +- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center? +- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured? +- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch? +- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files? +- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center? +- **IsSupported** Does the running OS support Windows Media Center? + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove + +This event indicates that the InventoryMediaCenter object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync + +This event indicates that a new set of InventoryMediaCenterAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd + +This event sends basic metadata about the BIOS to determine whether it has a compatibility block. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **biosDate** The release date of the BIOS in UTC format. +- **BiosDate** The release date of the BIOS in UTC format. +- **biosName** The name field from Win32_BIOS. +- **BiosName** The name field from Win32_BIOS. +- **manufacturer** The manufacturer field from Win32_ComputerSystem. +- **Manufacturer** The manufacturer field from Win32_ComputerSystem. +- **model** The model field from Win32_ComputerSystem. +- **Model** The model field from Win32_ComputerSystem. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove + +This event indicates that the InventorySystemBios object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync + +This event indicates that a new set of InventorySystemBiosAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd + +This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BootCritical** Is the driver package marked as boot critical? +- **Build** The build value from the driver package. +- **CatalogFile** The name of the catalog file within the driver package. +- **Class** The device class from the driver package. +- **ClassGuid** The device class unique ID from the driver package. +- **Date** The date from the driver package. +- **Inbox** Is the driver package of a driver that is included with Windows? +- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU. +- **Provider** The provider of the driver package. +- **PublishedName** The name of the INF file after it was renamed. +- **Revision** The revision of the driver package. +- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2. +- **VersionMajor** The major version of the driver package. +- **VersionMinor** The minor version of the driver package. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove + +This event indicates that the InventoryUplevelDriverPackage object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync + +This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.RunContext + +This event indicates what should be expected in the data payload. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **Subcontext** Indicates what categories of incompatibilities appraiser is scanning for. Can be N/A, Resolve, or a semicolon-delimited list that can include App, Dev, Sys, Gat, or Rescan. +- **Time** The client time of the event. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryAdd + +This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the device from upgrade due to memory restrictions? +- **MemoryRequirementViolated** Was a memory requirement violated? +- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes). +- **ram** The amount of memory on the device. +- **ramKB** The amount of memory (in KB). +- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes). +- **virtualKB** The amount of virtual memory (in KB). + + +### Microsoft.Windows.Appraiser.General.SystemMemoryRemove + +This event that the SystemMemory object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync + +This event indicates that a new set of SystemMemoryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd + +This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **CompareExchange128Support** Does the CPU support CompareExchange128? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove + +This event indicates that the SystemProcessorCompareExchange object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync + +This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd + +This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **LahfSahfSupport** Does the CPU support LAHF/SAHF? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove + +This event indicates that the SystemProcessorLahfSahf object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync + +This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd + +This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support. +- **NXProcessorSupport** Does the processor support NX? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove + +This event indicates that the SystemProcessorNx object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync + +This event indicates that a new set of SystemProcessorNxAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd + +This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **PrefetchWSupport** Does the processor support PrefetchW? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove + +This event indicates that the SystemProcessorPrefetchW object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync + +This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add + +This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked due to the processor? +- **SSE2ProcessorSupport** Does the processor support SSE2? + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove + +This event indicates that the SystemProcessorSse2 object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync + +This event indicates that a new set of SystemProcessorSse2Add events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchAdd + +This event sends data indicating whether the system supports touch, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer? +- **MaximumTouches** The maximum number of touch points supported by the device hardware. + + +### Microsoft.Windows.Appraiser.General.SystemTouchRemove + +This event indicates that the SystemTouch object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemTouchStartSync + +This event indicates that a new set of SystemTouchAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimAdd + +This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **IsWimBoot** Is the current operating system running from a compressed WIM file? +- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM. + + +### Microsoft.Windows.Appraiser.General.SystemWimRemove + +This event indicates that the SystemWim object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWimStartSync + +This event indicates that a new set of SystemWimAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd + +This event sends data indicating whether the current operating system is activated, to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated. +- **WindowsNotActivatedDecision** Is the current operating system activated? + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove + +This event indicates that the SystemWindowsActivationStatus object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync + +This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanAdd + +This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **Blocking** Is the upgrade blocked because of an emulated WLAN driver? +- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block? +- **WlanEmulatedDriver** Does the device have an emulated WLAN driver? +- **WlanExists** Does the device support WLAN at all? +- **WlanModulePresent** Are any WLAN modules present? +- **WlanNativeDriver** Does the device have a non-emulated WLAN driver? + + +### Microsoft.Windows.Appraiser.General.SystemWlanRemove + +This event indicates that the SystemWlan object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.SystemWlanStartSync + +This event indicates that a new set of SystemWlanAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.TelemetryRunHealth + +This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date. + +The following fields are available: + +- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built. +- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run. +- **AppraiserProcess** The name of the process that launched Appraiser. +- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots. +- **AuxFinal** Obsolete, always set to false. +- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app. +- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan. +- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter. +- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent. +- **InboxDataVersion** The original version of the data files before retrieving any newer version. +- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated. +- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent. +- **PCFP** An ID for the system calculated by hashing hardware identifiers. +- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal. +- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row. +- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device. +- **RunDate** The date that the telemetry run was stated, expressed as a filetime. +- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic. +- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information. +- **RunResult** The hresult of the Appraiser telemetry run. +- **ScheduledUploadDay** The day scheduled for the upload. +- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run. +- **StoreHandleIsNotNull** Obsolete, always set to false +- **TelementrySent** Indicates if telemetry was successfully sent. +- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability. +- **Time** The client time of the event. +- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging. +- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated. + + +### Microsoft.Windows.Appraiser.General.WmdrmAdd + +This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. +- **BlockingApplication** Same as NeedsDismissAction. +- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation. +- **WmdrmApiResult** Raw value of the API used to gather DRM state. +- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs. +- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased. +- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed. +- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses. +- **WmdrmPurchased** Indicates if the system has any files with permanent licenses. + + +### Microsoft.Windows.Appraiser.General.WmdrmRemove + +This event indicates that the Wmdrm object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +### Microsoft.Windows.Appraiser.General.WmdrmStartSync + +This event indicates that a new set of WmdrmAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + +## Census events + +### Census.App + +Provides information on IE and Census versions running on the device + +The following fields are available: + +- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run. +- **AppraiserErrorCode** The error code of the last Appraiser run. +- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run. +- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed. +- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run. +- **AppraiserTaskEnabled** Whether the Appraiser task is enabled. +- **AppraiserTaskExitCode** The Appraiser task exist code. +- **AppraiserTaskLastRun** The last runtime for the Appraiser task. +- **CensusVersion** The version of Census that generated the current data for this device. +- **IEVersion** IE version running on the device. + + +### Census.Battery + +This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date. + +The following fields are available: + +- **InternalBatteryCapablities** Represents information about what the battery is capable of doing. +- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear. +- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh. +- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance. +- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value. + + +### Census.Camera + +This event sends data about the resolution of cameras on the device, to help keep Windows up to date. + +The following fields are available: + +- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0. +- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0. + + +### Census.Enterprise + +This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment. + +The following fields are available: + +- **AADDeviceId** Azure Active Directory device ID. +- **AzureOSIDPresent** Represents the field used to identify an Azure machine. +- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs. +- **CDJType** Represents the type of cloud domain joined for the machine. +- **CommercialId** Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers. +- **ContainerType** The type of container, such as process or virtual machine hosted. +- **EnrollmentType** Defines the type of MDM enrollment on the device. +- **HashedDomain** The hashed representation of the user domain used for login. +- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false +- **IsDERequirementMet** Represents if the device can do device encryption. +- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption +- **IsDomainJoined** Indicates whether a machine is joined to a domain. +- **IsEDPEnabled** Represents if Enterprise data protected on the device. +- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not. +- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID +- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment. +- **ServerFeatures** Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers. +- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier + + +### Census.Firmware + +This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date. + +The following fields are available: + +- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS). +- **FirmwareReleaseDate** Represents the date the current firmware was released. +- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI. +- **FirmwareVersion** Represents the version of the current firmware. + + +### Census.Flighting + +This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date. + +The following fields are available: + +- **DeviceSampleRate** The telemetry sample rate assigned to the device. +- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device. +- **FlightIds** A list of the different Windows Insider builds on this device. +- **FlightingBranchName** The name of the Windows Insider branch currently used by the device. +- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program. +- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device. +- **SSRK** Retrieves the mobile targeting settings. + + +### Census.Hardware + +This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date. + +The following fields are available: + +- **ActiveMicCount** The number of active microphones attached to the device. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. +- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. +- **D3DMaxFeatureLevel** Supported Direct3D version. +- **DeviceColor** Indicates a color of the device. +- **DeviceForm** Indicates the form as per the device classification. +- **DeviceName** The device name that is set by the user. +- **DigitizerSupport** Is a digitizer supported? +- **DUID** The device unique ID. +- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation). +- **InventoryId** The device ID used for compatibility testing. +- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass). +- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.) +- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device. +- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date. +- **OEMModelBaseBoard** The baseboard model used by the OEM. +- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices. +- **OEMModelName** The device model name. +- **OEMModelNumber** The device model number. +- **OEMModelSKU** The device edition that is defined by the manufacturer. +- **OEMModelSystemFamily** The system family set on the device by an OEM. +- **OEMModelSystemVersion** The system model version set on the device by the OEM. +- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary. +- **OEMSerialNumber** The serial number of the device that is set by the manufacturer. +- **PhoneManufacturer** The friendly name of the phone manufacturer. +- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device. +- **SoCName** The firmware manufacturer of the device. +- **StudyID** Used to identify retail and non-retail device. +- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced. +- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions. +- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user. +- **TPMManufacturerId** The ID of the TPM manufacturer. +- **TPMManufacturerVersion** The version of the TPM manufacturer. +- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0. +- **VoiceSupported** Does the device have a cellular radio capable of making voice calls? + + +### Census.Memory + +This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date. + +The following fields are available: + +- **TotalPhysicalRAM** Represents the physical memory (in MB). +- **TotalVisibleMemory** Represents the memory that is not reserved by the system. + + +### Census.Network + +This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date. + +The following fields are available: + +- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage. +- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. +- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage. +- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users. +- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US. +- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage. +- **NetworkAdapterGUID** The GUID of the primary network adapter. +- **NetworkCost** Represents the network cost associated with a connection. +- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. +- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage. + + +### Census.OS + +This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date. + +The following fields are available: + +- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine. +- **AssignedAccessStatus** Kiosk configuration mode. +- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled. +- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy. +- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time +- **GenuineState** Retrieves the ID Value specifying the OS Genuine check. +- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update). +- **InstallLanguage** The first language installed on the user machine. +- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode. +- **IsEduData** Returns Boolean if the education data policy is enabled. +- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go +- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI. +- **LanguagePacks** The list of language packages installed on the device. +- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. +- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. +- **OSEdition** Retrieves the version of the current OS. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc +- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). +- **OSSKU** Retrieves the Friendly Name of OS Edition. +- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. +- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines. +- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine. +- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS. +- **ProductActivationResult** Returns Boolean if the OS Activation was successful. +- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues. +- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key. +- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability. +- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy. +- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy. +- **ServiceProductKeyID** Retrieves the License key of the KMS +- **SharedPCMode** Returns Boolean for education devices used as shared cart +- **Signature** Retrieves if it is a signature machine sold by Microsoft store. +- **SLICStatus** Whether a SLIC table exists on the device. +- **SLICVersion** Returns OS type/version from SLIC table. + + +### Census.PrivacySettings + +This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **ContactsSystem** Current state of the Contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **EmailSystem** Current state of the email setting. +- **FindMyDevice** Current state of the "find my device" setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud sync setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.Processor + +Provides information on several important data points about Processor settings + +The following fields are available: + +- **KvaShadow** Microcode info of the processor. +- **MMSettingOverride** Microcode setting of the processor. +- **MMSettingOverrideMask** Microcode setting override of the processor. +- **PreviousUpdateRevision** Previous microcode revision +- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system. +- **ProcessorClockSpeed** Clock speed of the processor in MHz. +- **ProcessorCores** Number of logical cores in the processor. +- **ProcessorIdentifier** Processor Identifier of a manufacturer. +- **ProcessorManufacturer** Name of the processor manufacturer. +- **ProcessorModel** Name of the processor model. +- **ProcessorPhysicalCores** Number of physical cores in the processor. +- **ProcessorUpdateRevision** Microcode revision +- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status +- **SocketCount** Count of CPU sockets. +- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability. + + +### Census.Security + +This event provides information on about security settings used to help keep Windows up to date and secure. + +The following fields are available: + +- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard. +- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running. +- **DGState** This field summarizes the Device Guard state. +- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running. +- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest. +- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host. +- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security. +- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting. +- **SModeState** The Windows S mode trail state. +- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running. + + +### Census.Speech + +This event is used to gather basic speech settings on the device. + +The following fields are available: + +- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked. +- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities. +- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user. +- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices. +- **KeyVer** Version information for the census speech event. +- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS). +- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities. +- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities. +- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice. +- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device. +- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference. + + +### Census.Storage + +This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date. + +The following fields are available: + +- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB. +- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any). +- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB. + + +### Census.Userdefault + +This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date. + +The following fields are available: + +- **CalendarType** The calendar identifiers that are used to specify different calendars. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultBrowserProgId** The ProgramId of the current user's default browser. +- **LongDateFormat** The long date format the user has selected. +- **ShortDateFormat** The short date format the user has selected. + + +### Census.UserDisplay + +This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date. + +The following fields are available: + +- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display. +- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display. +- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display. +- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display. +- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches . +- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches +- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine +- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine. +- **VRAMDedicated** Retrieves the video RAM in MB. +- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card. +- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use. + + +### Census.UserNLS + +This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date. + +The following fields are available: + +- **DefaultAppLanguage** The current user Default App Language. +- **DisplayLanguage** The current user preferred Windows Display Language. +- **HomeLocation** The current user location, which is populated using GetUserGeoId() function. +- **KeyboardInputLanguages** The Keyboard input languages installed on the device. +- **SpeechInputLanguages** The Speech Input languages installed on the device. + + +### Census.UserPrivacySettings + +This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings. + +The following fields are available: + +- **Activity** Current state of the activity history setting. +- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting. +- **ActivityHistoryCollection** Current state of the activity history collection setting. +- **AdvertisingId** Current state of the advertising ID setting. +- **AppDiagnostics** Current state of the app diagnostics setting. +- **Appointments** Current state of the calendar setting. +- **AppointmentsSystem** Current state of the calendar setting. +- **Bluetooth** Current state of the Bluetooth capability setting. +- **BluetoothSync** Current state of the Bluetooth sync capability setting. +- **BroadFileSystemAccess** Current state of the broad file system access setting. +- **CellularData** Current state of the cellular data capability setting. +- **Chat** Current state of the chat setting. +- **ChatSystem** Current state of the chat setting. +- **Contacts** Current state of the contacts setting. +- **ContactsSystem** Current state of the contacts setting. +- **DocumentsLibrary** Current state of the documents library setting. +- **Email** Current state of the email setting. +- **EmailSystem** Current state of the email setting. +- **GazeInput** Current state of the gaze input setting. +- **HumanInterfaceDevice** Current state of the human interface device setting. +- **InkTypeImprovement** Current state of the improve inking and typing setting. +- **InkTypePersonalization** Current state of the inking and typing personalization setting. +- **Location** Current state of the location setting. +- **LocationHistory** Current state of the location history setting. +- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting. +- **LocationHistoryOnTimeline** Current state of the location history on timeline setting. +- **Microphone** Current state of the microphone setting. +- **PhoneCall** Current state of the phone call setting. +- **PhoneCallHistory** Current state of the call history setting. +- **PhoneCallHistorySystem** Current state of the call history setting. +- **PicturesLibrary** Current state of the pictures library setting. +- **Radios** Current state of the radios setting. +- **SensorsCustom** Current state of the custom sensor setting. +- **SerialCommunication** Current state of the serial communication setting. +- **Sms** Current state of the text messaging setting. +- **SpeechPersonalization** Current state of the speech services setting. +- **USB** Current state of the USB setting. +- **UserAccountInformation** Current state of the account information setting. +- **UserDataTasks** Current state of the tasks setting. +- **UserDataTasksSystem** Current state of the tasks setting. +- **UserNotificationListener** Current state of the notifications setting. +- **VideosLibrary** Current state of the videos library setting. +- **Webcam** Current state of the camera setting. +- **WiFiDirect** Current state of the Wi-Fi direct setting. + + +### Census.VM + +This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date. + +The following fields are available: + +- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within. +- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor. +- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present. +- **IsVDI** Is the device using Virtual Desktop Infrastructure? +- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors. +- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware. +- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware. + + +### Census.WU + +This event sends data about the Windows update server and other App store policies, to help keep Windows up to date. + +The following fields are available: + +- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading. +- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled). +- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured +- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting +- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades. +- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it? +- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update? +- **OSAssessmentForQualityUpdate** Is the device on the latest quality update? +- **OSAssessmentForSecurityUpdate** Is the device on the latest security update? +- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it? +- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment. +- **OSRollbackCount** The number of times feature updates have rolled back on the device. +- **OSRolledBack** A flag that represents when a feature update has rolled back during setup. +- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device . +- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device. +- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default. +- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently. +- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS). +- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates. +- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades. +- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network. +- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier. +- **WUPauseState** Retrieves WU setting to determine if updates are paused. +- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default). + + +### Census.Xbox + +This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date. + +The following fields are available: + +- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console. +- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console. +- **XboxLiveDeviceId** Retrieves the unique device ID of the console. +- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft. + + +## Common data extensions + +### Common Data Extensions.app + +Describes the properties of the running application. This extension could be populated by a client app or a web app. + +The following fields are available: + +- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session. +- **env** The environment from which the event was logged. +- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event. +- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application. +- **locale** The locale of the app. +- **name** The name of the app. +- **userId** The userID as known by the application. +- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app. + + +### Common Data Extensions.container + +Describes the properties of the container for events logged within a container. + +The following fields are available: + +- **epoch** An ID that's incremented for each SDK initialization. +- **localId** The device ID as known by the client. +- **osVer** The operating system version. +- **seq** An ID that's incremented for each event. +- **type** The container type. Examples: Process or VMHost + + +### Common Data Extensions.cs + +Describes properties related to the schema of the event. + +The following fields are available: + +- **sig** A common schema signature that identifies new and modified event schemas. + + +### Common Data Extensions.device + +Describes the device-related fields. + +The following fields are available: + +- **deviceClass** The device classification. For example, Desktop, Server, or Mobile. +- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId +- **make** Device manufacturer. +- **model** Device model. + + +### Common Data Extensions.Envelope + +Represents an envelope that contains all of the common data extensions. + +The following fields are available: + +- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries. +- **data** Represents the optional unique diagnostic data for a particular event schema. +- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp). +- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer). +- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs). +- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice). +- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos). +- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts). +- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk). +- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser). +- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc). +- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl). +- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency. +- **iKey** Represents an ID for applications or other logical groupings of events. +- **name** Represents the uniquely qualified name for the event. +- **popSample** Represents the effective sample rate for this event at the time it was generated by a client. +- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.os + +Describes some properties of the operating system. + +The following fields are available: + +- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot. +- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema. +- **locale** Represents the locale of the operating system. +- **name** Represents the operating system name. +- **ver** Represents the major and minor version of the extension. + + +### Common Data Extensions.receipts + +Represents various time information as provided by the client and helps for debugging purposes. + +The following fields are available: + +- **originalTime** The original event time. +- **uploadTime** The time the event was uploaded. + + +### Common Data Extensions.sdk + +Used by platform specific libraries to record fields that are required for a specific SDK. + +The following fields are available: + +- **epoch** An ID that is incremented for each SDK initialization. +- **installId** An ID that's created during the initialization of the SDK for the first time. +- **libVer** The SDK version. +- **seq** An ID that is incremented for each event. + + +### Common Data Extensions.user + +Describes the fields related to a user. + +The following fields are available: + +- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token. +- **locale** The language and region. +- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID. + + +### Common Data Extensions.utc + +Describes the properties that could be populated by a logging library on Windows. + +The following fields are available: + +- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW. +- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number +- **cat** Represents a bitmask of the ETW Keywords associated with the event. +- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer. +- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **flags** Represents the bitmap that captures various Windows specific flags. +- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence +- **op** Represents the ETW Op Code. +- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW. +- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server. +- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID. + + +### Common Data Extensions.xbl + +Describes the fields that are related to XBOX Live. + +The following fields are available: + +- **claims** Any additional claims whose short claim name hasn't been added to this structure. +- **did** XBOX device ID +- **dty** XBOX device type +- **dvr** The version of the operating system on the device. +- **eid** A unique ID that represents the developer entity. +- **exp** Expiration time +- **ip** The IP address of the client device. +- **nbf** Not before time +- **pid** A comma separated list of PUIDs listed as base10 numbers. +- **sbx** XBOX sandbox identifier +- **sid** The service instance ID. +- **sty** The service type. +- **tid** The XBOX Live title ID. +- **tvr** The XBOX Live title version. +- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. +- **xid** A list of base10-encoded XBOX User IDs. + + +## Common data fields + +### Ms.Device.DeviceInventoryChange + +Describes the installation state for all hardware and software components available on a particular device. + +The following fields are available: + +- **action** The change that was invoked on a device inventory object. +- **inventoryId** Device ID used for Compatibility testing +- **objectInstanceId** Object identity which is unique within the device scope. +- **objectType** Indicates the object type that the event applies to. +- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. + + +## Compatibility events + +### Microsoft.Windows.Compatibility.Apphelp.SdbFix + +Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components. + +The following fields are available: + +- **AppName** Name of the application impacted by SDB. +- **FixID** SDB GUID. +- **Flags** List of flags applied. +- **ImageName** Name of file. + + +## Component-based servicing events + +### CbsServicingProvider.CbsCapabilityEnumeration + +This event reports on the results of scanning for optional Windows content on Windows Update. + +The following fields are available: + +- **architecture** Indicates the scan was limited to the specified architecture. +- **capabilityCount** The number of optional content packages found during the scan. +- **clientId** The name of the application requesting the optional content. +- **duration** The amount of time it took to complete the scan. +- **hrStatus** The HReturn code of the scan. +- **language** Indicates the scan was limited to the specified language. +- **majorVersion** Indicates the scan was limited to the specified major version. +- **minorVersion** Indicates the scan was limited to the specified minor version. +- **namespace** Indicates the scan was limited to packages in the specified namespace. +- **sourceFilter** A bitmask indicating the scan checked for locally available optional content. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionFinalize + +This event provides information about the results of installing or uninstalling optional Windows content from Windows Update. + +The following fields are available: + +- **capabilities** The names of the optional content packages that were installed. +- **clientId** The name of the application requesting the optional content. +- **currentID** The ID of the current install session. +- **downloadSource** The source of the download. +- **highestState** The highest final install state of the optional content. +- **hrLCUReservicingStatus** Indicates whether the optional content was updated to the latest available version. +- **hrStatus** The HReturn code of the install operation. +- **rebootCount** The number of reboots required to complete the install. +- **retryID** The session ID that will be used to retry a failed operation. +- **retryStatus** Indicates whether the install will be retried in the event of failure. +- **stackBuild** The build number of the servicing stack. +- **stackMajorVersion** The major version number of the servicing stack. +- **stackMinorVersion** The minor version number of the servicing stack. +- **stackRevision** The revision number of the servicing stack. + + +### CbsServicingProvider.CbsCapabilitySessionPended + +This event provides information about the results of installing optional Windows content that requires a reboot to keep Windows up to date. + +The following fields are available: + +- **clientId** The name of the application requesting the optional content. +- **pendingDecision** Indicates the cause of reboot, if applicable. + + +### CbsServicingProvider.CbsLateAcquisition + +This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date. + +The following fields are available: + +- **Features** The list of feature packages that could not be updated. +- **RetryID** The ID identifying the retry attempt to update the listed packages. + + +### CbsServicingProvider.CbsPackageRemoval + +This event provides information about the results of uninstalling a Windows Cumulative Security Update to help keep Windows up to date. + +The following fields are available: + +- **buildVersion** The build number of the security update being uninstalled. +- **clientId** The name of the application requesting the uninstall. +- **currentStateEnd** The final state of the update after the operation. +- **failureDetails** Information about the cause of a failure, if applicable. +- **failureSourceEnd** The stage during the uninstall where the failure occurred. +- **hrStatusEnd** The overall exit code of the operation. +- **initiatedOffline** Indicates if the uninstall was initiated for a mounted Windows image. +- **majorVersion** The major version number of the security update being uninstalled. +- **minorVersion** The minor version number of the security update being uninstalled. +- **originalState** The starting state of the update before the operation. +- **pendingDecision** Indicates the cause of reboot, if applicable. +- **primitiveExecutionContext** The state during system startup when the uninstall was completed. +- **revisionVersion** The revision number of the security update being uninstalled. +- **transactionCanceled** Indicates whether the uninstall was cancelled. + + +## Deployment extensions + +### DeploymentTelemetry.Deployment_End + +This event indicates that a Deployment 360 API has completed. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** Phase in upgrade. +- **RelatedCV** The correction vector (CV) of any other related events +- **Result** End result of the action. + + +### DeploymentTelemetry.Deployment_SetupBoxLaunch + +This event indicates that the Deployment 360 APIs have launched Setup Box. + +The following fields are available: + +- **ClientId** The client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current setup phase. + + +### DeploymentTelemetry.Deployment_SetupBoxResult + +This event indicates that the Deployment 360 APIs have received a return from Setup Box. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **ErrorCode** Error code of the action. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Quiet** Indicates whether Setup will run in quiet mode or full mode. +- **RelatedCV** The correlation vector (CV) of any other related events. +- **SetupMode** The current Setup phase. + + +### DeploymentTelemetry.Deployment_Start + +This event indicates that a Deployment 360 API has been called. + +The following fields are available: + +- **ClientId** Client ID of the user utilizing the D360 API. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **Mode** The current phase of the upgrade. +- **RelatedCV** The correlation vector (CV) of any other related events. + + +## Diagnostic data events + +### TelClientSynthetic.AbnormalShutdown_0 + +This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date. + +The following fields are available: + +- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event. +- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in. +- **BatteryLevelAtLastShutdown** The last recorded battery level. +- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown. +- **CrashDumpEnabled** Are crash dumps enabled? +- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset. +- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported. +- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware. +- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware. +- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware. +- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware. +- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not. +- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType. +- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset. +- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not. +- **LastBugCheckBootId** bootId of the last captured crash. +- **LastBugCheckCode** Code that indicates the type of error. +- **LastBugCheckContextFlags** Additional crash dump settings. +- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save. +- **LastBugCheckOtherSettings** Other crash dump settings. +- **LastBugCheckParameter1** The first parameter with additional info on the type of the error. +- **LastBugCheckProgress** Progress towards writing out the last crash dump. +- **LastBugCheckVersion** The version of the information struct written during the crash. +- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown. +- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button. +- **OOBEInProgress** Identifies if OOBE is running. +- **OSSetupInProgress** Identifies if the operating system setup is running. +- **PowerButtonCumulativePressCount** How many times has the power button been pressed? +- **PowerButtonCumulativeReleaseCount** How many times has the power button been released? +- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics. +- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed. +- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed. +- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released. +- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released. +- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed. +- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed. +- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on. +- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press. +- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API. +- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition. +- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file. +- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid. +- **StaleBootStatData** Identifies if the data from bootstat is stale. +- **TransitionInfoBootId** BootId of the captured transition info. +- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode. +- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode. +- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode. +- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode. +- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp, +- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved. +- **TransitionInfoLidState** Describes the state of the laptop lid. +- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed. +- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode. +- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode. +- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running. +- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed. +- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed. +- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition. +- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint. +- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational. +- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host. + + +### TelClientSynthetic.AuthorizationInfo_RuntimeTransition + +This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.AuthorizationInfo_Startup + +Fired by UTC at startup to signal what data we are allowed to collect. + +The following fields are available: + +- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise. +- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise. +- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise. +- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise. +- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise. +- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise. +- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise. +- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise. +- **CanReportScenarios** True if we can report scenario completions, false otherwise. +- **PreviousPermissions** Bitmask of previous telemetry state. +- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise. + + +### TelClientSynthetic.ConnectivityHeartBeat_0 + +This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network. + +The following fields are available: + +- **CensusExitCode** Returns last execution codes from census client run. +- **CensusStartTime** Returns timestamp corresponding to last successful census run. +- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine. +- **LastConnectivityLossTime** Retrieves the last time the device lost free network. +- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network. +- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds. +- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds. + + +### TelClientSynthetic.HeartBeat_5 + +This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel. +- **CensusExitCode** The last exit code of the Census task. +- **CensusStartTime** Time of last Census run. +- **CensusTaskEnabled** True if Census is enabled, false otherwise. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB. +- **DbCriticalDroppedCount** Total number of dropped critical events in event DB. +- **DbDroppedCount** Number of events dropped due to DB fullness. +- **DbDroppedFailureCount** Number of events dropped due to DB failures. +- **DbDroppedFullCount** Number of events dropped due to DB fullness. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session. +- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC. +- **EventStoreResetCounter** Number of times event DB was reset. +- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventSubStoreResetCounter** Number of times event DB was reset. +- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe. +- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC. +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** The number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** The number of timeout failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Aria_5 + +This event is the telemetry client ARIA heartbeat. + +The following fields are available: + +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped at the database layer. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times the event store has been reset. +- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat. +- **EventStoreResetSizeSum** Size of event store reset in bytes. +- **EventsUploaded** Number of events uploaded. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastEventSizeOffender** Event name of last event which exceeded max event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire. +- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting OneSettings service. +- **TopUploaderErrors** List of top errors received from the upload endpoint. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client. +- **UploaderErrorCount** Number of errors received from the upload endpoint. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +### TelClientSynthetic.HeartBeat_Seville_5 + +This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense. + +The following fields are available: + +- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel. +- **CompressedBytesUploaded** Number of compressed bytes uploaded. +- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client. +- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer. +- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling. +- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database. +- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode). +- **DbCriticalDroppedCount** Total number of dropped critical events in event database. +- **DbDroppedCount** Number of events dropped due to database being full. +- **DbDroppedFailureCount** Number of events dropped due to database failures. +- **DbDroppedFullCount** Number of events dropped due to database being full. +- **DecodingDroppedCount** Number of events dropped due to decoding failures. +- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode). +- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated. +- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session. +- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client. +- **EventsPersistedCount** Number of events that reached the PersistEvent stage. +- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC). +- **EventStoreResetCounter** Number of times the event database was reset. +- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance. +- **EventsUploaded** Number of events uploaded. +- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state. +- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full. +- **HeartBeatSequenceNumber** The sequence number of this heartbeat. +- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex. +- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel. +- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size. +- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex. +- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe. +- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode). +- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events). +- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts. +- **SettingsHttpAttempts** Number of attempts to contact OneSettings service. +- **SettingsHttpFailures** Number of failures from contacting the OneSettings service. +- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers. +- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type. +- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client. +- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation. +- **VortexFailuresTimeout** Number of time out failures received from Vortex. +- **VortexHttpAttempts** Number of attempts to contact Vortex. +- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex. +- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex. +- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400. +- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event. + + +## Direct to update events + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess + +This event indicates that the Coordinator Cleanup call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinate version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess + +This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess + +This event indicates that the Handler Commit call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run.run +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** The ID of the campaigning being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** The HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess + +This event indicates that the Handler WaitForRebootUi call succeeded. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +## DxgKernelTelemetry events + +### DxgKrnlTelemetry.GPUAdapterInventoryV2 + +This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date. + +The following fields are available: + +- **AdapterTypeValue** The numeric value indicating the type of Graphics adapter. +- **aiSeqId** The event sequence ID. +- **bootId** The system boot ID. +- **BrightnessVersionViaDDI** The version of the Display Brightness Interface. +- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload. +- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes). +- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes). +- **DisplayAdapterLuid** The display adapter LUID. +- **DriverDate** The date of the display driver. +- **DriverRank** The rank of the display driver. +- **DriverVersion** The display driver version. +- **DX10UMDFilePath** The file path to the location of the DirectX 10 Display User Mode Driver in the Driver Store. +- **DX11UMDFilePath** The file path to the location of the DirectX 11 Display User Mode Driver in the Driver Store. +- **DX12UMDFilePath** The file path to the location of the DirectX 12 Display User Mode Driver in the Driver Store. +- **DX9UMDFilePath** The file path to the location of the DirectX 9 Display User Mode Driver in the Driver Store. +- **GPUDeviceID** The GPU device ID. +- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload. +- **GPURevisionID** The GPU revision ID. +- **GPUVendorID** The GPU vendor ID. +- **InterfaceId** The GPU interface ID. +- **IsDisplayDevice** Does the GPU have displaying capabilities? +- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device? +- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device? +- **IsLDA** Is the GPU comprised of Linked Display Adapters? +- **IsMiracastSupported** Does the GPU support Miracast? +- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor? +- **IsMPOSupported** Does the GPU support Multi-Plane Overlays? +- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution? +- **IsPostAdapter** Is this GPU the POST GPU in the device? +- **IsRemovable** TRUE if the adapter supports being disabled or removed. +- **IsRenderDevice** Does the GPU have rendering capabilities? +- **IsSoftwareDevice** Is this a software implementation of the GPU? +- **KMDFilePath** The file path to the location of the Display Kernel Mode Driver in the Driver Store. +- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES? +- **NumVidPnSources** The number of supported display output sources. +- **NumVidPnTargets** The number of supported display output targets. +- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes). +- **SubSystemID** The subsystem ID. +- **SubVendorID** The GPU sub vendor ID. +- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY? +- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling) +- **version** The event version. +- **WDDMVersion** The Windows Display Driver Model version. + + +## Fault Reporting events + +### Microsoft.Windows.FaultReporting.AppCrashEvent + +This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event. + +The following fields are available: + +- **AppName** The name of the app that has crashed. +- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend. +- **AppTimeStamp** The date/time stamp of the app. +- **AppVersion** The version of the app that has crashed. +- **ExceptionCode** The exception code returned by the process that has crashed. +- **ExceptionOffset** The address where the exception had occurred. +- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. +- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name. +- **IsCrashFatal** (Deprecated) True/False to indicate whether the crash resulted in process termination. +- **IsFatal** True/False to indicate whether the crash resulted in process termination. +- **ModName** Exception module name (e.g. bar.dll). +- **ModTimeStamp** The date/time stamp of the module. +- **ModVersion** The version of the module that has crashed. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has crashed. +- **ProcessId** The ID of the process that has crashed. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported +- **TargetAsId** The sequence number for the hanging process. + + +## Hang Reporting events + +### Microsoft.Windows.HangReporting.AppHangEvent + +This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. + +The following fields are available: + +- **AppName** The name of the app that has hung. +- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend. +- **AppVersion** The version of the app that has hung. +- **IsFatal** True/False based on whether the hung application caused the creation of a Fatal Hang Report. +- **PackageFullName** Store application identity. +- **PackageRelativeAppId** Store application identity. +- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64. +- **ProcessCreateTime** The time of creation of the process that has hung. +- **ProcessId** The ID of the process that has hung. +- **ReportId** A GUID used to identify the report. This can used to track the report across Watson. +- **TargetAppId** The kernel reported AppId of the application being reported. +- **TargetAppVer** The specific version of the application being reported. +- **TargetAsId** The sequence number for the hanging process. +- **TypeCode** Bitmap describing the hang type. +- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application. +- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting. +- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting. +- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package. + + +## Inventory events + +### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum + +This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. + +The following fields are available: + +- **Device** A count of device objects in cache. +- **DeviceCensus** A count of device census objects in cache. +- **DriverPackageExtended** A count of driverpackageextended objects in cache. +- **File** A count of file objects in cache. +- **FileSigningInfo** A count of file signing objects in cache. +- **Generic** A count of generic objects in cache. +- **HwItem** A count of hwitem objects in cache. +- **InventoryApplication** A count of application objects in cache. +- **InventoryApplicationAppV** A count of application AppV objects in cache. +- **InventoryApplicationDriver** A count of application driver objects in cache +- **InventoryApplicationFile** A count of application file objects in cache. +- **InventoryApplicationFramework** A count of application framework objects in cache +- **InventoryApplicationShortcut** A count of application shortcut objects in cache +- **InventoryDeviceContainer** A count of device container objects in cache. +- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache. +- **InventoryDeviceMediaClass** A count of device media objects in cache. +- **InventoryDevicePnp** A count of device Plug and Play objects in cache. +- **InventoryDeviceUsbHubClass** A count of device usb objects in cache +- **InventoryDriverBinary** A count of driver binary objects in cache. +- **InventoryDriverPackage** A count of device objects in cache. +- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache +- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache. +- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache +- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache +- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache +- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache +- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache +- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache +- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache +- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache +- **Metadata** A count of metadata objects in cache. +- **Orphan** A count of orphan file objects in cache. +- **Programs** A count of program objects in cache. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo + +Diagnostic data about the inventory cache. + +The following fields are available: + +- **CacheFileSize** Size of the cache. +- **InventoryVersion** Inventory version of the cache. +- **TempCacheCount** Number of temp caches created. +- **TempCacheDeletedCount** Number of temp caches deleted. + + +### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions + +This event sends inventory component versions for the Device Inventory data. + +The following fields are available: + +- **aeinv** The version of the App inventory component. +- **devinv** The file version of the Device inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd + +This event sends basic metadata about an application on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **HiddenArp** Indicates whether a program hides itself from showing up in ARP. +- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics). +- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 +- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. +- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. +- **InventoryVersion** The version of the inventory file generating the events. +- **Language** The language code of the program. +- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage. +- **MsiProductCode** A GUID that describe the MSI Product. +- **Name** The name of the application. +- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install. +- **PackageFullName** The package full name for a Store application. +- **ProgramInstanceId** A hash of the file IDs in an app. +- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field. +- **RootDirPath** The path to the root directory where the program was installed. +- **Source** How the program was installed (for example, ARP, MSI, Appx). +- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp. +- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen. +- **Version** The version number of the program. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd + +This event represents what drivers an application installs. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. +- **ProgramIds** The unique program identifier the driver is associated with. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync + +The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory component. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd + +This event provides the basic metadata about the frameworks an application may depend on. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **FileId** A hash that uniquely identifies a file. +- **Frameworks** The list of frameworks this file depends on. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync + +This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync + +This event indicates that a new set of InventoryApplicationAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd + +This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Categories** A comma separated list of functional categories in which the container belongs. +- **DiscoveryMethod** The discovery method for the device container. +- **FriendlyName** The name of the device container. +- **InventoryVersion** The version of the inventory file generating the events. +- **IsActive** Is the device connected, or has it been seen in the last 14 days? +- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link. +- **IsMachineContainer** Is the container the root device itself? +- **IsNetworked** Is this a networked device? +- **IsPaired** Does the device container require pairing? +- **Manufacturer** The manufacturer name for the device container. +- **ModelId** A unique model ID. +- **ModelName** The model name. +- **ModelNumber** The model number for the device container. +- **PrimaryCategory** The primary category for the device container. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove + +This event indicates that the InventoryDeviceContainer object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync + +This event indicates that a new set of InventoryDeviceContainerAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd + +This event retrieves information about what sensor interfaces are available on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Accelerometer3D** Indicates if an Accelerator3D sensor is found. +- **ActivityDetection** Indicates if an Activity Detection sensor is found. +- **AmbientLight** Indicates if an Ambient Light sensor is found. +- **Barometer** Indicates if a Barometer sensor is found. +- **Custom** Indicates if a Custom sensor is found. +- **EnergyMeter** Indicates if an Energy sensor is found. +- **FloorElevation** Indicates if a Floor Elevation sensor is found. +- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found. +- **GravityVector** Indicates if a Gravity Detector sensor is found. +- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found. +- **Humidity** Indicates if a Humidity sensor is found. +- **InventoryVersion** The version of the inventory file generating the events. +- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found. +- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found. +- **Orientation** Indicates if an Orientation sensor is found. +- **Pedometer** Indicates if a Pedometer sensor is found. +- **Proximity** Indicates if a Proximity sensor is found. +- **RelativeOrientation** Indicates if a Relative Orientation sensor is found. +- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found. +- **Temperature** Indicates if a Temperature sensor is found. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync + +This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd + +This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Audio_CaptureDriver** The Audio device capture driver endpoint. +- **Audio_RenderDriver** The Audio device render driver endpoint. +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove + +This event indicates that the InventoryDeviceMediaClassRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync + +This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd + +This event represents the basic metadata about a plug and play (PNP) device and its associated driver. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BusReportedDescription** The description of the device reported by the bux. +- **Class** The device setup class of the driver loaded for the device. +- **ClassGuid** The device class GUID from the driver package +- **COMPID** The device setup class guid of the driver loaded for the device. +- **ContainerId** The list of compat ids for the device. +- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer. +- **DeviceState** The device description. +- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present +- **DriverName** A unique identifier for the driver installed. +- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage +- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework). +- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage. +- **Enumerator** The date of the driver loaded for the device. +- **ExtendedInfs** The extended INF file names. +- **HWID** The version of the driver loaded for the device. +- **Inf** The bus that enumerated the device. +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx +- **InventoryVersion** List of hardware ids for the device. +- **LowerClassFilters** Lower filter class drivers IDs installed for the device +- **LowerFilters** Lower filter drivers IDs installed for the device +- **Manufacturer** INF file name (the name could be renamed by OS, such as oemXX.inf) +- **MatchingID** Device installation state. +- **Model** The version of the inventory binary generating the events. +- **ParentId** Lower filter class drivers IDs installed for the device. +- **ProblemCode** Lower filter drivers IDs installed for the device. +- **Provider** The device manufacturer. +- **Service** The device service name +- **STACKID** Represents the hardware ID or compatible ID that Windows uses to install a device instance. +- **UpperClassFilters** Upper filter drivers IDs installed for the device +- **UpperFilters** The device model. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove + +This event indicates that the InventoryDevicePnpRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync + +This event indicates that a new set of InventoryDevicePnpAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd + +This event sends basic metadata about the USB hubs on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. +- **TotalUserConnectablePorts** Total number of connectable USB ports. +- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports. + + +### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync + +This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd + +This event provides the basic metadata about driver binaries running on the system. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **DriverCheckSum** The checksum of the driver file. +- **DriverCompany** The company name that developed the driver. +- **DriverInBox** Is the driver included with the operating system? +- **DriverIsKernelMode** Is it a kernel mode driver? +- **DriverName** The file name of the driver. +- **DriverPackageStrongName** The strong name of the driver package +- **DriverSigned** The strong name of the driver package +- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file. +- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000. +- **DriverVersion** The version of the driver file. +- **ImageSize** The size of the driver file. +- **Inf** The name of the INF file. +- **InventoryVersion** The version of the inventory file generating the events. +- **Product** The product name that is included in the driver file. +- **ProductVersion** The product version that is included in the driver file. +- **Service** The name of the service that is installed for the device. +- **WdfVersion** The Windows Driver Framework version. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove + +This event indicates that the InventoryDriverBinary object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync + +This event indicates that a new set of InventoryDriverBinaryAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd + +This event sends basic metadata about drive packages installed on the system to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Class** The class name for the device driver. +- **ClassGuid** The class GUID for the device driver. +- **Date** The driver package date. +- **Directory** The path to the driver package. +- **DriverInBox** Is the driver included with the operating system? +- **Inf** The INF name of the driver package. +- **InventoryVersion** The version of the inventory file generating the events. +- **Provider** The provider for the driver package. +- **SubmissionId** The HLK submission ID for the driver package. +- **Version** The version of the driver package. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove + +This event indicates that the InventoryDriverPackageRemove object is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync + +This event indicates that a new set of InventoryDriverPackageAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory file generating the events. + + +### Microsoft.Windows.Inventory.Core.StartUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the beginning of the event download, and that tracing should begin. + + + +### Microsoft.Windows.Inventory.Core.StopUtcJsonTrace + +This event collects traces of all other Core events, not used in typical customer scenarios. This event signals the end of the event download, and that tracing should end. + + + +### Microsoft.Windows.Inventory.General.AppHealthStaticAdd + +This event sends details collected for a specific application on the source device. + +The following fields are available: + +- **AhaVersion** The binary version of the App Health Analyzer tool. +- **ApplicationErrors** The count of application errors from the event log. +- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit). +- **device_level** Various JRE/JAVA versions installed on a particular device. +- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type. +- **Jar** Flag to determine if an app has a Java JAR file dependency. +- **Jre** Flag to determine if an app has JRE framework dependency. +- **Jre_version** JRE versions an app has declared framework dependency for. +- **Name** Name of the application. +- **NonDPIAware** Flag to determine if an app is non-DPI aware. +- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location. +- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution. +- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution. +- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility. +- **VB6** Flag to determine if an app is based on VB6 framework. +- **VB6v2** Additional flag to determine if an app is based on VB6 framework. +- **Version** Version of the application. +- **VersionCheck** Flag to determine if an app has a static dependency on OS version. +- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version. + + +### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync + +This event indicates the beginning of a series of AppHealthStaticAdd events. + +The following fields are available: + +- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument. +- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable. +- **Enhanced** Indicates the presence of the 'enhanced' command line argument. +- **StartTime** UTC date and time at which this event was sent. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd + +Provides data on the installed Office Add-ins. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AddinCLSID** The CLSID for the Office add-in. +- **AddInCLSID** CLSID key for the office addin +- **AddInId** Office add-in ID. +- **AddinType** Office add-in Type. +- **BinFileTimestamp** Timestamp of the Office add-in. +- **BinFileVersion** Version of the Office add-in. +- **Description** Office add-in description. +- **FileId** FileId of the Office add-in. +- **FileSize** File size of the Office add-in. +- **FriendlyName** Friendly name for office add-in. +- **FullPath** Unexpanded path to the office add-in. +- **InventoryVersion** The version of the inventory binary generating the events. +- **LoadBehavior** Uint32 that describes the load behavior. +- **LoadTime** Load time for the office addin +- **OfficeApplication** The office application for this add-in. +- **OfficeArchitecture** Architecture of the add-in. +- **OfficeVersion** The office version for this add-in. +- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in. +- **ProductCompany** The name of the company associated with the Office add-in. +- **ProductName** The product name associated with the Office add-in. +- **ProductVersion** The version associated with the Office add-in. +- **ProgramId** The unique program identifier of the Office add-in. +- **Provider** Name of the provider for this add-in. +- **Usage** Data regarding usage of the add-in. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd + +Provides data on the Office identifiers. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device +- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device +- **OMID** Identifier for the Office SQM Machine +- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit +- **OTenantId** Unique GUID representing the Microsoft O365 Tenant +- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000 +- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows) + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd + +Provides data on Office-related Internet Explorer features. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature. +- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files. +- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag +- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request +- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2) +- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts +- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords +- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control +- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted +- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC) +- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL +- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior +- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows +- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd + +This event provides insight data on the installed Office products + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OfficeApplication** The name of the Office application. +- **OfficeArchitecture** The bitness of the Office application. +- **OfficeVersion** The version of the Office application. +- **Value** The insights collected about this entity. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync + +This diagnostic event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd + +Describes Office Products installed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. +- **OC2rApps** A GUID the describes the Office Click-To-Run apps +- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus +- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word +- **OProductCodes** A GUID that describes the Office MSI products + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd + +This event describes various Office settings + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **BrowserFlags** Browser flags for Office-related products. +- **ExchangeProviderFlags** Provider policies for Office Exchange. +- **InventoryVersion** The version of the inventory binary generating the events. +- **SharedComputerLicensing** Office shared computer licensing policies. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync + +Indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd + +This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Design** Count of files with design issues found. +- **Design_x64** Count of files with 64 bit design issues found. +- **DuplicateVBA** Count of files with duplicate VBA code. +- **HasVBA** Count of files with VBA code. +- **Inaccessible** Count of files that were inaccessible for scanning. +- **InventoryVersion** The version of the inventory binary generating the events. +- **Issues** Count of files with issues detected. +- **Issues_x64** Count of files with 64-bit issues detected. +- **IssuesNone** Count of files with no issues detected. +- **IssuesNone_x64** Count of files with no 64-bit issues detected. +- **Locked** Count of files that were locked, preventing scanning. +- **NoVBA** Count of files with no VBA inside. +- **Protected** Count of files that were password protected, preventing scanning. +- **RemLimited** Count of files that require limited remediation changes. +- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues. +- **RemSignificant** Count of files that require significant remediation changes. +- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues. +- **Score** Overall compatibility score calculated for scanned content. +- **Score_x64** Overall 64-bit compatibility score calculated for scanned content. +- **Total** Total number of files scanned. +- **Validation** Count of files that require additional manual validation. +- **Validation_x64** Count of files that require additional manual validation for 64-bit issues. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd + +This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Count** Count of total Microsoft Office VBA rule violations +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync + +This event indicates that a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **InventoryVersion** The version of the inventory binary generating the events. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd + +Provides data on Unified Update Platform (UUP) products and what version they are at. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Identifier** UUP identifier +- **LastActivatedVersion** Last activated version +- **PreviousVersion** Previous version +- **Source** UUP source +- **Version** UUP version + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove + +Indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync + +Diagnostic event to indicate a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.Checksum + +This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events. + +The following fields are available: + +- **CensusId** A unique hardware identifier. +- **ChecksumDictionary** A count of each operating system indicator. +- **PCFP** Equivalent to the InventoryId field that is found in other core events. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd + +These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **IndicatorValue** The indicator value. + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove + +This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync + +This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + +## Kernel events + +### IO + +This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. + +The following fields are available: + +- **BytesRead** The total number of bytes read from or read by the OS upon system startup. +- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. + + +### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch + +OS information collected during Boot, used to evaluate the success of the upgrade process. + +The following fields are available: + +- **BootApplicationId** This field tells us what the OS Loader Application Identifier is. +- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system. +- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session. +- **BootStatusPolicy** Identifies the applicable Boot Status Policy. +- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume"). +- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made. +- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware. +- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonPch** Reason for system reset provided by firmware. +- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed. +- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware. +- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io). +- **LastBootSucceeded** Flag indicating whether the last boot was successful. +- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful. +- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb. +- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb. +- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement). +- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation. +- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.). +- **RecoveryEnabled** Indicates whether recovery is enabled. +- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot. +- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow. +- **UserInputTime** The amount of time the loader application spent waiting for user input. + + +## OneDrive events + +### Microsoft.OneDrive.Sync.Setup.APIOperation + +This event includes basic data about install and uninstall OneDrive API operations. + +The following fields are available: + +- **APIName** The name of the API. +- **Duration** How long the operation took. +- **IsSuccess** Was the operation successful? +- **ResultCode** The result code. +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.EndExperience + +This event includes a success or failure summary of the installation. + +The following fields are available: + +- **APIName** The name of the API. +- **HResult** HResult of the operation +- **IsSuccess** Whether the operation is successful or not +- **ScenarioName** The name of the scenario. + + +### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation + +This event is related to the OS version when the OS is upgraded with OneDrive installed. + +The following fields are available: + +- **CurrentOneDriveVersion** The current version of OneDrive. +- **CurrentOSBuildBranch** The current branch of the operating system. +- **CurrentOSBuildNumber** The current build number of the operating system. +- **CurrentOSVersion** The current version of the operating system. +- **HResult** The HResult of the operation. +- **SourceOSBuildBranch** The source branch of the operating system. +- **SourceOSBuildNumber** The source build number of the operating system. +- **SourceOSVersion** The source version of the operating system. + + +### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation + +This event is related to registering or unregistering the OneDrive update task. + +The following fields are available: + +- **APIName** The name of the API. +- **IsSuccess** Was the operation successful? +- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation. +- **ScenarioName** The name of the scenario. +- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation. + + +### Microsoft.OneDrive.Sync.Updater.ComponentInstallState + +This event includes basic data about the installation state of dependent OneDrive components. + +The following fields are available: + +- **ComponentName** The name of the dependent component. +- **isInstalled** Is the dependent component installed? + + +### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus + +This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken + +The following fields are available: + +- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system. +- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system. + + +### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult + +This event sends information describing the result of the update. + +The following fields are available: + +- **hr** The HResult of the operation. +- **IsLoggingEnabled** Indicates whether logging is enabled for the updater. +- **UpdaterVersion** The version of the updater. + + +### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult + +This event determines the status when downloading the OneDrive update configuration file. + +The following fields are available: + +- **hr** The HResult of the operation. + + +### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus + +This event determines the error code that was returned when verifying Internet connectivity. + +The following fields are available: + +- **winInetError** The HResult of the operation. + + +## Privacy consent logging events + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted + +This event is used to determine whether the user successfully completed the privacy consent experience. + +The following fields are available: + +- **presentationVersion** Which display version of the privacy consent experience the user completed +- **privacyConsentState** The current state of the privacy consent experience +- **settingsVersion** Which setting version of the privacy consent experience the user completed +- **userOobeExitReason** The exit reason of the privacy consent experience + + +### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus + +Event tells us effectiveness of new privacy experience. + +The following fields are available: + +- **isAdmin** whether the person who is logging in is an admin +- **isExistingUser** whether the account existed in a downlevel OS +- **isLaunching** Whether or not the privacy consent experience will be launched +- **isSilentElevation** whether the user has most restrictive UAC controls +- **privacyConsentState** whether the user has completed privacy experience +- **userRegionCode** The current user's region setting + + +## Setup events + +### SetupPlatformTel.SetupPlatformTelActivityEvent + +This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time + + +### SetupPlatformTel.SetupPlatformTelActivityStarted + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + +The following fields are available: + +- **Name** The name of the dynamic update type. Example: GDR driver + + +### SetupPlatformTel.SetupPlatformTelActivityStopped + +This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. + + + +### SetupPlatformTel.SetupPlatformTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc. +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. +- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time. + + +### SetupPlatformTel.SetupPlatfOrmTelEvent + +This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios. + +The following fields are available: + +- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc. + + +## Software update events + +### SoftwareUpdateClientTelemetry.CheckForUpdates + +Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion. +- **AllowCachedResults** Indicates if the scan allowed using cached results. +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BranchReadinessLevel** The servicing branch configured on the device. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0. +- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000). +- **DeferredUpdates** Update IDs which are currently being deferred until a later time +- **DeviceModel** What is the device model. +- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered. +- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled. +- **DriverSyncPassPerformed** Were drivers scanned this time? +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **ExtendedMetadataCabUrl** Hostname that is used to download an update. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan. +- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan. +- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days). +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days). +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6 +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device. +- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MSIError** The last error that was encountered during a scan for updates. +- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6 +- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete +- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked +- **NumberOfLoop** The number of round trips the scan required +- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan +- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan +- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down. +- **Online** Indicates if this was an online scan. +- **PausedUpdates** A list of UpdateIds which that currently being paused. +- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window. +- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days). +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days). +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **ScanDurationInSeconds** The number of seconds a scan took +- **ScanEnqueueTime** The number of seconds it took to initialize a scan +- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates). +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.). +- **ServiceUrl** The environment URL a device is configured to scan with +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult). +- **SyncType** Describes the type of scan the event was +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down. +- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Commit + +This event tracks the commit process post the update installation when software update client is trying to update the device. + +The following fields are available: + +- **BiosFamily** Device family as defined in the system BIOS +- **BiosName** Name of the system BIOS +- **BiosReleaseDate** Release date of the system BIOS +- **BiosSKUNumber** Device SKU as defined in the system BIOS +- **BIOSVendor** Vendor of the system BIOS +- **BiosVersion** Version of the system BIOS +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRevisionNumber** Identifies the revision number of the content bundle +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** Version number of the software distribution client +- **DeviceModel** Device model as defined in the system bios +- **EventInstanceID** A globally unique identifier for event instance +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver". +- **FlightId** The specific id of the flight the device is getting +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.) +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SystemBIOSMajorRelease** Major release version of the system bios +- **SystemBIOSMinorRelease** Minor release version of the system bios +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Download + +Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded). + +The following fields are available: + +- **ActiveDownloadTime** Number of seconds the update was actively being downloaded. +- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload. +- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded. +- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client. +- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - only the content required to launch the app is being downloaded; "AutomaticContentOnly" - only the optional [automatic] content for the app (the ones that can downloaded after the app has been launched) is being downloaded; "AllContent" - all content for the app, including the optional [automatic] content, is being downloaded. +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle). +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download. +- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: (1) express download method was used for download; (2) SelfContained download method was used for download indicating the update had no express content; (3) SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it; (4) SelfContained download method was used indicating that range requests are not supported; (5) SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present); (6) SelfContained download method was used indicating that self-contained download method was selected previously; (7) SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold. +- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location. +- **CDNId** ID which defines which CDN the software distribution client downloaded the content from. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **ConnectTime** Indicates the cumulative sum (in seconds) of the time it took to establish the connection for all updates in an update bundle. +- **CurrentMobileOperator** The mobile operator the device is currently connected to. +- **DeviceModel** What is the device model. +- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority. +- **DownloadProps** Indicates a bitmask for download operations indicating: (1) if an update was downloaded to a system volume (least significant bit i.e. bit 0); (2) if the update was from a channel other than the installed channel (bit 1); (3) if the update was for a product pinned by policy (bit 2); (4) if the deployment action for the update is uninstall (bit 3). +- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds). +- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight. +- **FlightId** The specific ID of the flight (pre-release build) the device is getting. +- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds). +- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **HostName** The hostname URL the content is downloading from. +- **IPVersion** Indicates whether the download took place over IPv4 or IPv6. +- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update +- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device. +- **NetworkCost** A flag indicating the cost of the network used for downloading the update content. The values can be: 0x0 (Unkown); 0x1 (Network cost is unrestricted); 0x2 (Network cost is fixed); 0x4 (Network cost is variable); 0x10000 (Network cost over data limit); 0x20000 (Network cost congested); 0x40000 (Network cost roaming); 0x80000 (Network cost approaching data limit). +- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.) +- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered." +- **PackageFullName** The package name of the content. +- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced. +- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload. +- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background. +- **RegulationReason** The reason that the update is regulated +- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload. +- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null. +- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet. +- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded. +- **TotalExpectedBytes** The total count of bytes that the download is expected to be. +- **UpdateId** An identifier associated with the specific piece of content. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedDO** Whether the download used the delivery optimization service. +- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.DownloadCheckpoint + +This event provides a checkpoint between each of the Windows Update download phases for UUP content + +The following fields are available: + +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed +- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver" +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough +- **FileId** A hash that uniquely identifies a file +- **FileName** Name of the downloaded file +- **FlightId** The unique identifier for each flight +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RevisionNumber** Unique revision number of Update +- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.) +- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult) +- **UpdateId** Unique Update ID +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### SoftwareUpdateClientTelemetry.DownloadHeartbeat + +This event allows tracking of ongoing downloads and contains data to explain the current state of the download + +The following fields are available: + +- **BytesTotal** Total bytes to transfer for this content +- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat +- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client +- **ClientVersion** The version number of the software distribution client +- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat +- **CurrentError** Last (transient) error encountered by the active download +- **DownloadFlags** Flags indicating if power state is ignored +- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing) +- **EventType** Possible values are "Child", "Bundle", or "Driver" +- **FlightId** The unique identifier for each flight +- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered" +- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any +- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any +- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby) +- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one +- **ResumeCount** Number of times this active download has resumed from a suspended state +- **RevisionNumber** Identifies the revision number of this specific piece of content +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SuspendCount** Number of times this active download has entered a suspended state +- **SuspendReason** Last reason for why this active download entered a suspended state +- **UpdateId** Identifier associated with the specific piece of content +- **WUDeviceID** Unique device id controlled by the software distribution client + + +### SoftwareUpdateClientTelemetry.Install + +This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date. + +The following fields are available: + +- **BiosFamily** The family of the BIOS (Basic Input Output System). +- **BiosName** The name of the device BIOS. +- **BiosReleaseDate** The release date of the device BIOS. +- **BiosSKUNumber** The sku number of the device BIOS. +- **BIOSVendor** The vendor of the BIOS. +- **BiosVersion** The version of the BIOS. +- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **ClientVersion** The version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0. +- **CSIErrorType** The stage of CBS installation where it failed. +- **CurrentMobileOperator** The mobile operator to which the device is currently connected. +- **DeviceModel** The device model. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **EventType** Possible values are Child, Bundle, or Driver. +- **ExtendedErrorCode** The extended error code. +- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program. +- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **FlightRing** The ring that a device is on if participating in the Windows Insider Program. +- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update). +- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **HomeMobileOperator** The mobile operator that the device was originally intended to work with. +- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether this update is a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart. +- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device. +- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device. +- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation. +- **MsiAction** The stage of MSI installation where it failed. +- **MsiProductCode** The unique identifier of the MSI installer. +- **PackageFullName** The package name of the content being installed. +- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced. +- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install. +- **RevisionNumber** The revision number of this specific piece of content. +- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.). +- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway. +- **ShippingMobileOperator** The mobile operator that a device shipped on. +- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult). +- **SystemBIOSMajorRelease** Major version of the BIOS. +- **SystemBIOSMinorRelease** Minor version of the BIOS. +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **TransactionCode** The ID that represents a given MSI installation. +- **UpdateId** Unique update ID. +- **UpdateID** An identifier associated with the specific piece of content. +- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional. +- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive. +- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### SoftwareUpdateClientTelemetry.Revert + +Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **CSIErrorType** Stage of CBS installation that failed. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **EventType** Event type (Child, Bundle, Release, or Driver). +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content has previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** The identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.TaskRun + +Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed). + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CmdLineArgs** Command line arguments passed in by the caller. +- **EventInstanceID** A globally unique identifier for the event instance. +- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.Uninstall + +Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded). + +The following fields are available: + +- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found. +- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed. +- **BundleRevisionNumber** Identifies the revision number of the content bundle. +- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request. +- **ClientVersion** Version number of the software distribution client. +- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0. +- **DriverPingBack** Contains information about the previous driver and system state. +- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required. +- **EventInstanceID** A globally unique identifier for event instance. +- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.). +- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver". +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough. +- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device. +- **FlightBuildNumber** Indicates the build number of the flight. +- **FlightId** The specific ID of the flight the device is getting. +- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.). +- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device. +- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process. +- **IsFirmware** Indicates whether an update was a firmware update. +- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot. +- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device. +- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device. +- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install. +- **ProcessName** Process name of the caller who initiated API calls into the software distribution client. +- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device. +- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one. +- **RepeatFailCount** Indicates whether this specific piece of content previously failed. +- **RevisionNumber** Identifies the revision number of this specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.). +- **StatusCode** Result code of the event (success, cancellation, failure code HResult). +- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver. +- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device. +- **UpdateId** Identifier associated with the specific piece of content. +- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended). +- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used. +- **WUDeviceID** Unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateDetected + +This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates. + +The following fields are available: + +- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable. +- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client. +- **IntentPFNs** Intended application-set metadata for atomic update scenarios. +- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete. +- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one. +- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.). +- **WUDeviceID** The unique device ID controlled by the software distribution client. + + +### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity + +Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack. + +The following fields are available: + +- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request. +- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments. +- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc. +- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough. +- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed. +- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate. +- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce +- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID). +- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable. +- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable. +- **RevisionId** The revision ID for a specific piece of content. +- **RevisionNumber** The revision number for a specific piece of content. +- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) +- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate. +- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate. +- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob +- **SignatureAlgorithm** The hash algorithm for the metadata signature. +- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast". +- **StatusCode** Result code of the event (success, cancellation, failure code HResult) +- **TimestampTokenCertThumbprint** Thumbprint of the encoded timestamp token. +- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. +- **UpdateId** The update ID for a specific piece of content. +- **ValidityWindowInDays** Validity window in effect when verifying the timestamp + + +## System Resource Usage Monitor events + +### Microsoft.Windows.Srum.Sdp.CpuUsage + +This event provides information on CPU usage. + +The following fields are available: + +- **UsageMax** The maximum of hourly average CPU usage. +- **UsageMean** The mean of hourly average CPU usage. +- **UsageMedian** The median of hourly average CPU usage. +- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage. +- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage. + + +### Microsoft.Windows.Srum.Sdp.NetworkUsage + +This event provides information on network usage. + +The following fields are available: + +- **AdapterGuid** The unique ID of the adapter. +- **BytesTotalMax** The maximum of the hourly average bytes total. +- **BytesTotalMean** The mean of the hourly average bytes total. +- **BytesTotalMedian** The median of the hourly average bytes total. +- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total. +- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total. +- **LinkSpeed** The adapter link speed. + + +## Update events + +### Update360Telemetry.Revert + +This event sends data relating to the Revert phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the Revert phase. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RebootRequired** Indicates reboot is required. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **RevertResult** The result code returned for the Revert operation. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentCommit + +This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentDownloadRequest + +This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. + +The following fields are available: + +- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. +- **DownloadRequests** Number of times a download was retried. +- **ErrorCode** The error code returned for the current download request phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique ID for each flight. +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. +- **PackageCountOptional** Number of optional packages requested. +- **PackageCountRequired** Number of required packages requested. +- **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalCanonical** Total number of canonical packages. +- **PackageCountTotalDiff** Total number of diff packages. +- **PackageCountTotalExpress** Total number of express packages. +- **PackageExpressType** Type of express package. +- **PackageSizeCanonical** Size of canonical packages in bytes. +- **PackageSizeDiff** Size of diff packages in bytes. +- **PackageSizeExpress** Size of express packages in bytes. +- **RangeRequestState** Indicates the range request type used. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the download request phase of update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases). +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentExpand + +This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ElapsedTickCount** Time taken for expand phase. +- **EndFreeSpace** Free space after expand phase. +- **EndSandboxSize** Sandbox size after expand phase. +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **StartFreeSpace** Free space before expand phase. +- **StartSandboxSize** Sandbox size after expand phase. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentFellBackToCanonical + +This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **ObjectId** Unique value for each Update Agent mode. +- **PackageCount** Number of packages that feel back to canonical. +- **PackageList** PackageIds which fell back to canonical. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInitialize + +This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **FlightId** Unique ID for each flight. +- **FlightMetadata** Contains the FlightId and the build being flighted. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** Outcome of the install phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentInstall + +This event sends data for the install phase of updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current install phase. +- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. +- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). +- **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **ObjectId** Correlation vector value generated from the latest USO scan. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** The result for the current install phase. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMerge + +The UpdateAgentMerge event sends data on the merge phase when updating Windows. + +The following fields are available: + +- **ErrorCode** The error code returned for the current merge phase. +- **FlightId** Unique ID for each flight. +- **MergeId** The unique ID to join two update sessions being merged. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Related correlation vector value. +- **Result** Outcome of the merge phase of the update. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentMitigationResult + +This event sends data indicating the result of each update agent mitigation. + +The following fields are available: + +- **Applicable** Indicates whether the mitigation is applicable for the current update. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightId** Unique identifier for each flight. +- **Index** The mitigation index of this particular mitigation. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly name of the mitigation. +- **ObjectId** Unique value for each Update Agent mode. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **UpdateId** Unique ID for each Update. + + +### Update360Telemetry.UpdateAgentMitigationSummary + +This event sends a summary of all the update agent mitigations available for an this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **Failed** The count of mitigations that failed. +- **FlightId** Unique identifier for each flight. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO scan. +- **Result** The HResult of this operation. +- **ScenarioId** The update agent scenario ID. +- **SessionId** Unique value for each update attempt. +- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments). +- **Total** Total number of mitigations that were available. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. + +The following fields are available: + +- **FlightId** Unique ID for each flight. +- **Mode** Indicates the mode that has started. +- **ObjectId** Unique value for each Update Agent mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **Version** Version of update + + +### Update360Telemetry.UpdateAgentOneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **Count** The count of applicable OneSettings for the device. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. +- **Values** The values sent back to the device, if applicable. + + +### Update360Telemetry.UpdateAgentPostRebootResult + +This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. + +The following fields are available: + +- **ErrorCode** The error code returned for the current post reboot phase. +- **FlightId** The specific ID of the Windows Insider build the device is getting. +- **ObjectId** Unique value for each Update Agent mode. +- **PostRebootResult** Indicates the Hresult. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. + + +### Update360Telemetry.UpdateAgentReboot + +This event sends information indicating that a request has been sent to suspend an update. + +The following fields are available: + +- **ErrorCode** The error code returned for the current reboot. +- **FlightId** Unique ID for the flight (test instance version). +- **ObjectId** The unique value for each Update Agent mode. +- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan. +- **Result** The HResult of the event. +- **ScenarioId** The ID of the update scenario. +- **SessionId** The ID of the update attempt. +- **UpdateId** The ID of the update. + + +### Update360Telemetry.UpdateAgentSetupBoxLaunch + +The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. + +The following fields are available: + +- **ContainsExpressPackage** Indicates whether the download package is express. +- **FlightId** Unique ID for each flight. +- **FreeSpace** Free space on OS partition. +- **InstallCount** Number of install attempts using the same sandbox. +- **ObjectId** Unique value for each Update Agent mode. +- **Quiet** Indicates whether setup is running in quiet mode. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **SandboxSize** Size of the sandbox. +- **ScenarioId** Indicates the update scenario. +- **SessionId** Unique value for each update attempt. +- **SetupMode** Mode of setup to be launched. +- **UpdateId** Unique ID for each Update. +- **UserSession** Indicates whether install was invoked by user actions. + + +## Upgrade events + +### FacilitatorTelemetry.DCATDownload + +This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **DownloadSize** Download size of payload. +- **ElapsedTime** Time taken to download payload. +- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade. +- **ResultCode** Result returned by the Facilitator DCAT call. +- **Scenario** Dynamic update scenario (Image DU, or Setup DU). +- **Type** Type of package that was downloaded. + + +### FacilitatorTelemetry.InitializeDU + +This event determines whether devices received additional or critical supplemental content during an OS upgrade. + +The following fields are available: + +- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to. +- **DownloadRequestAttributes** The attributes we send to DCAT. +- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **Url** The Delivery Catalog (DCAT) URL we send the request to. +- **Version** Version of Facilitator. + + +### Setup360Telemetry.Downlevel + +This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the downlevel OS. +- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback). +- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors). +- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** An ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId. + + +### Setup360Telemetry.Finalize + +This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.OsUninstall + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PostRebootInstall + +This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback +- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId. + + +### Setup360Telemetry.PreDownloadQuiet + +This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreDownloadUX + +This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **HostOSBuildNumber** The build number of the previous operating system. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system). +- **InstanceId** Unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS). +- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** ID that uniquely identifies a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.PreInstallQuiet + +This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors. +- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT). +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +### Setup360Telemetry.PreInstallUX + +This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process. + +The following fields are available: + +- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe. +- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** Windows Update client ID. + + +### Setup360Telemetry.Setup360 + +This event sends data about OS deployment scenarios, to help keep Windows up-to-date. + +The following fields are available: + +- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FieldName** Retrieves the data point. +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **ReportId** Retrieves the report ID. +- **ScenarioId** Retrieves the deployment scenario. +- **Value** Retrieves the value associated with the corresponding FieldName. + + +### Setup360Telemetry.Setup360DynamicUpdate + +This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date. + +The following fields are available: + +- **FlightData** Specifies a unique identifier for each group of Windows Insider builds. +- **InstanceId** Retrieves a unique identifier for each instance of a setup session. +- **Operation** Facilitator’s last known operation (scan, download, etc.). +- **ReportId** ID for tying together events stream side. +- **ResultCode** Result returned by setup for the entire operation. +- **Scenario** Dynamic Update scenario (Image DU, or Setup DU). +- **ScenarioId** Identifies the update scenario. +- **TargetBranch** Branch of the target OS. +- **TargetBuild** Build of the target OS. + + +### Setup360Telemetry.Setup360MitigationResult + +This event sends data indicating the result of each setup mitigation. + +The following fields are available: + +- **Applicable** TRUE if the mitigation is applicable for the current update. +- **ClientId** In the Windows Update scenario, this is the client ID passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **CommandCount** The number of command operations in the mitigation entry. +- **CustomCount** The number of custom operations in the mitigation entry. +- **FileCount** The number of file operations in the mitigation entry. +- **FlightData** The unique identifier for each flight (test release). +- **Index** The mitigation index of this particular mitigation. +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **Name** The friendly (descriptive) name of the mitigation. +- **OperationIndex** The mitigation operation index (in the event of a failure). +- **OperationName** The friendly (descriptive) name of the mitigation operation (in the event of failure). +- **RegistryCount** The number of registry operations in the mitigation entry. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). + + +### Setup360Telemetry.Setup360MitigationSummary + +This event sends a summary of all the setup mitigations available for this update. + +The following fields are available: + +- **Applicable** The count of mitigations that were applicable to the system and scenario. +- **ClientId** The Windows Update client ID passed to Setup. +- **Failed** The count of mitigations that failed. +- **FlightData** The unique identifier for each flight (test release). +- **InstanceId** The GUID (Globally Unique ID) that identifies each instance of SetupHost.EXE. +- **MitigationScenario** The update scenario in which the mitigations were attempted. +- **ReportId** In the Windows Update scenario, the Update ID that is passed to Setup. In media setup, this is the GUID for the INSTALL.WIM. +- **Result** HResult of this operation. +- **ScenarioId** Setup360 flow type. +- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments). +- **Total** The total number of mitigations that were available. + + +### Setup360Telemetry.Setup360OneSettings + +This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. + +The following fields are available: + +- **ClientId** The Windows Update client ID passed to Setup. +- **Count** The count of applicable OneSettings for the device. +- **FlightData** The ID for the flight (test instance version). +- **InstanceId** The GUID (Globally-Unique ID) that identifies each instance of setuphost.exe. +- **Parameters** The set of name value pair parameters sent to OneSettings to determine if there are any applicable OneSettings. +- **ReportId** The Update ID passed to Setup. +- **Result** The HResult of the event error. +- **ScenarioId** The update scenario ID. +- **Values** Values sent back to the device, if applicable. + + +### Setup360Telemetry.UnexpectedEvent + +This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date. + +The following fields are available: + +- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightData** Unique value that identifies the flight. +- **HostOSBuildNumber** The build number of the previous OS. +- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS). +- **InstanceId** A unique GUID that identifies each instance of setuphost.exe +- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim. +- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred. +- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback. +- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors. +- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT. +- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS). +- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled. +- **TestId** A string to uniquely identify a group of events. +- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId. + + +## Windows as a Service diagnostic events + +### Microsoft.Windows.WaaSMedic.SummaryEvent + +Result of the WaaSMedic operation. + +The following fields are available: + +- **callerApplication** The name of the calling application. +- **detectionSummary** Result of each applicable detection that was run. +- **featureAssessmentImpact** WaaS Assessment impact for feature updates. +- **hrEngineResult** Error code from the engine operation. +- **isInteractiveMode** The user started a run of WaaSMedic. +- **isManaged** Device is managed for updates. +- **isWUConnected** Device is connected to Windows Update. +- **noMoreActions** No more applicable diagnostics. +- **qualityAssessmentImpact** WaaS Assessment impact for quality updates. +- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on. +- **usingBackupFeatureAssessment** Relying on backup feature assessment. +- **usingBackupQualityAssessment** Relying on backup quality assessment. +- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run. +- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run. +- **versionString** Version of the WaaSMedic engine. +- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter. + + +## Windows Error Reporting events + +### Microsoft.Windows.WERVertical.OSCrash + +This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event. + +The following fields are available: + +- **BootId** Uint32 identifying the boot number for this device. +- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check. +- **BugCheckParameter1** Uint64 parameter providing additional information. +- **BugCheckParameter2** Uint64 parameter providing additional information. +- **BugCheckParameter3** Uint64 parameter providing additional information. +- **BugCheckParameter4** Uint64 parameter providing additional information. +- **DumpFileAttributes** Codes that identify the type of data contained in the dump file +- **DumpFileSize** Size of the dump file +- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise +- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). + + +## Windows Error Reporting MTT events + +### Microsoft.Windows.WER.MTT.Denominator + +This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date. + +The following fields are available: + +- **DPRange** Maximum mean value range. +- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate the mean. +- **Value** Standard UTC emitted DP value structure See [Value](#value). + + +### Value + +This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. + +The following fields are available: + +- **Algorithm** The algorithm used to preserve privacy. +- **DPRange** The upper bound of the range being measured. +- **DPValue** The randomized response returned by the client. +- **Epsilon** The level of privacy to be applied. +- **HistType** The histogram type if the algorithm is a histogram algorithm. +- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. + + +## Microsoft Store events + +### Microsoft.Windows.Store.StoreActivating + +This event sends tracking data about when the Store app activation via protocol URI is in progress, to help keep Windows up to date. + + + +### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation + +This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The Item Bundle ID. +- **CategoryId** The Item Category ID. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Was this a mandatory update? +- **IsRemediation** Was this a remediation install? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Flag indicating if this is an update. +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The product family name of the product being installed. +- **ProductId** The identity of the package or packages being installed. +- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled. +- **UserAttemptNumber** The total number of user attempts at installation before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds + +This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare + +This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure. + + + +### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation + +This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed. +- **AttemptNumber** Total number of installation attempts. +- **BundleId** The identity of the Windows Insider build that is associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Was this requested by a user? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this an automatic restore of a previously acquired product? +- **IsUpdate** Is this a product update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of all packages to be downloaded and installed. +- **PreviousHResult** The previous HResult code. +- **PreviousInstallState** Previous installation state before it was canceled. +- **ProductId** The name of the package or packages requested for installation. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled. +- **UserAttemptNumber** Total number of user attempts to install before it was canceled. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest + +This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Product ID of the app being installed. +- **HResult** HResult code of the action being performed. +- **IsBundle** Is this a bundle? +- **PackageFamilyName** The name of the package being installed. +- **ProductId** The Store Product ID of the product being installed. +- **SkuId** Specific edition of the item being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense + +This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set. +- **AttemptNumber** The total number of attempts to acquire this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** HResult code to show the result of the operation (success/failure). +- **IsBundle** Is this a bundle? +- **IsInteractive** Did the user initiate the installation? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this happening after a device restore? +- **IsUpdate** Is this an update? +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to acquire this product. +- **UserAttemptNumber** The number of attempts by the user to acquire this product +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndDownload + +This event is sent after an app is downloaded to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** Number of retry attempts before it was canceled. +- **BundleId** The identity of the Windows Insider build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **DownloadSize** The total size of the download. +- **ExtendedHResult** Any extended HResult error codes. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this initiated by the user? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this a restore of a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The parent bundle ID (if it's part of a bundle). +- **PFN** The Product Family Name of the app being download. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The number of attempts by the system to download. +- **UserAttemptNumber** The number of attempts by the user to download. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate + +This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds + +This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed before this operation. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndInstall + +This event is sent after a product has been installed to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **ExtendedHResult** The extended HResult error code. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this an interactive installation? +- **IsMandatory** Is this a mandatory installation? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this automatically restoring a previously acquired product? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** Product Family Name of the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates + +This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsApplicability** Is this request to only check if there are any applicable packages to install? +- **IsInteractive** Is this user requested? +- **IsOnline** Is the request doing an online check? + + +### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages + +This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData + +This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **ProductId** The Store Product ID for the product being installed. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of system attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare + +This event is sent after a scan for available app updates to help keep Windows up-to-date and secure. + +The following fields are available: + +- **HResult** The result code of the last action performed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete + +This event is sent at the end of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **FailedRetry** Indicates whether the installation or update retry was successful. +- **HResult** The HResult code of the operation. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate + +This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The name of the product catalog from which this app was chosen. +- **PFN** The Package Family Name of the app that is being installed or updated. +- **ProductId** The product ID of the app that is being updated or installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest + +This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **BundleId** The identity of the build associated with this product. +- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specific edition ID being installed. +- **VolumePath** The disk path of the installation. + + +### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation + +This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The total number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The Product Full Name. +- **PreviousHResult** The result code of the last action performed before this operation. +- **PreviousInstallState** Previous state before the installation or update was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector of a previous performed action on this product. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation + +This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure. + +The following fields are available: + +- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed. +- **AttemptNumber** The number of retry attempts before it was canceled. +- **BundleId** The identity of the build associated with this product. +- **CategoryId** The identity of the package or packages being installed. +- **ClientAppId** The identity of the app that initiated this operation. +- **HResult** The result code of the last action performed before this operation. +- **IsBundle** Is this a bundle? +- **IsInteractive** Is this user requested? +- **IsMandatory** Is this a mandatory update? +- **IsRemediation** Is this repairing a previous installation? +- **IsRestore** Is this restoring previously acquired content? +- **IsUpdate** Is this an update? +- **IsUserRetry** Did the user initiate the retry? +- **ParentBundleId** The product ID of the parent (if this product is part of a bundle). +- **PFN** The name of the package or packages requested for install. +- **PreviousHResult** The previous HResult error code. +- **PreviousInstallState** Previous state before the installation was paused. +- **ProductId** The Store Product ID for the product being installed. +- **RelatedCV** Correlation Vector for the original install before it was resumed. +- **ResumeClientId** The ID of the app that initiated the resume operation. +- **SystemAttemptNumber** The total number of system attempts. +- **UserAttemptNumber** The total number of user attempts. +- **WUContentId** The Windows Update content ID. + + +### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest + +This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **ProductId** The Store Product ID for the product being installed. + + +### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest + +This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **CatalogId** The Store Catalog ID for the product being installed. +- **ProductId** The Store Product ID for the product being installed. +- **SkuId** Specfic edition of the app being updated. + + +### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest + +This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure. + +The following fields are available: + +- **PFamN** The name of the app that is requested for update. + + +## Windows System Kit events + +### Microsoft.Windows.Kits.WSK.WskImageCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. + +The following fields are available: + +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskImageCustomization + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. + +The following fields are available: + +- **CustomizationMode** Indicates the mode of the customization (new or updating). +- **CustomizationType** Indicates the type of customization (drivers or apps). +- **Mode** The mode of update to image configuration files. Values are “New” or “Update”. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **Type** The type of update to image configuration files. Values are “Apps” or “Drivers”. +- **WskVersion** The version of the Windows System Kit being used. + + +### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate + +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. + +The following fields are available: + +- **Architecture** The OS architecture that the workspace will target. Values are one of: “AMD64”, “ARM64”, “x86”, or “ARM”. +- **OsEdition** The Operating System Edition that the workspace will target. +- **Phase** The image creation phase. Values are “Start” or “End”. +- **WorkspaceArchitecture** The operating system architecture that the workspace will target. +- **WorkspaceOsEdition** The operating system edition that the workspace will target. +- **WskVersion** The version of the Windows System Kit being used. + + +## Windows Update Delivery Optimization events + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled + +This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download being done in the background? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **isVpn** Indicates whether the device is connected to a VPN (Virtual Private Network). +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller. +- **reasonCode** Reason the action or event occurred. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the file download session. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted + +This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **bytesFromCacheServer** Bytes received from a cache host. +- **bytesFromCDN** The number of bytes received from a CDN source. +- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group. +- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group. +- **bytesFromLocalCache** Bytes copied over from local (on disk) cache. +- **bytesFromPeers** The number of bytes received from a peer in the same LAN. +- **bytesRequested** The total number of bytes requested for download. +- **cacheServerConnectionCount** Number of connections made to cache hosts. +- **cdnConnectionCount** The total number of connections made to the CDN. +- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event. +- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered. +- **cdnIp** The IP address of the source CDN. +- **cdnUrl** Url of the source Content Distribution Network (CDN). +- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downlinkBps** The maximum measured available download bandwidth (in bytes per second). +- **downlinkUsageBps** The download speed (in bytes per second). +- **downloadMode** The download mode used for this file download session. +- **downloadModeReason** Reason for the download. +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **fileSize** The size of the file being downloaded. +- **gCurMemoryStreamBytes** Current usage for memory streaming. +- **gMaxMemoryStreamBytes** Maximum usage for memory streaming. +- **groupConnectionCount** The total number of connections made to peers in the same group. +- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group. +- **isEncrypted** TRUE if the file is encrypted and will be decrypted after download. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **lanConnectionCount** The total number of connections made to peers in the same LAN. +- **numPeers** The total number of peers used for this download. +- **predefinedCallerName** The name of the API Caller. +- **restrictedUpload** Is the upload restricted? +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **totalTimeMs** Duration of the download (in seconds). +- **updateID** The ID of the update being downloaded. +- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second). +- **uplinkUsageBps** The upload speed (in bytes per second). +- **usedMemoryStream** TRUE if the download is using memory streaming for App downloads. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused + +This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Is the download a background download? +- **cdnUrl** The URL of the source CDN (Content Delivery Network). +- **errorCode** The error code that was returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being paused. +- **isVpn** Is the device connected to a Virtual Private Network? +- **jobID** Identifier for the Windows Update job. +- **predefinedCallerName** The name of the API Caller object. +- **reasonCode** The reason for pausing the download. +- **routeToCacheServer** The cache server setting, source, and value. +- **sessionID** The ID of the download session. +- **updateID** The ID of the update being paused. + + +### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted + +This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **background** Indicates whether the download is happening in the background. +- **bytesRequested** Number of bytes requested for the download. +- **cdnUrl** The URL of the source Content Distribution Network (CDN). +- **costFlags** A set of flags representing network cost. +- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). +- **diceRoll** Random number used for determining if a client will use peering. +- **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. +- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). +- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). +- **errorCode** The error code that was returned. +- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing. +- **fileID** The ID of the file being downloaded. +- **filePath** The path to where the downloaded file will be written. +- **fileSize** Total file size of the file that was downloaded. +- **fileSizeCaller** Value for total file size provided by our caller. +- **groupID** ID for the group. +- **isEncrypted** Indicates whether the download is encrypted. +- **isVpn** Indicates whether the device is connected to a Virtual Private Network. +- **jobID** The ID of the Windows Update job. +- **peerID** The ID for this delivery optimization client. +- **predefinedCallerName** Name of the API caller. +- **routeToCacheServer** Cache server setting, source, and value. +- **sessionID** The ID for the file download session. +- **setConfigs** A JSON representation of the configurations that have been set, and their sources. +- **updateID** The ID of the update being downloaded. +- **usedMemoryStream** Indicates whether the download used memory streaming. + + +### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication + +This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads. + +The following fields are available: + +- **cdnHeaders** The HTTP headers returned by the CDN. +- **cdnIp** The IP address of the CDN. +- **cdnUrl** The URL of the CDN. +- **errorCode** The error code that was returned. +- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **httpStatusCode** The HTTP status code returned by the CDN. +- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET +- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.). +- **requestOffset** The byte offset within the file in the sent request. +- **requestSize** The size of the range requested from the CDN. +- **responseSize** The size of the range response received from the CDN. +- **sessionID** The ID of the download session. + + +### Microsoft.OSG.DU.DeliveryOptClient.JobError + +This event represents a Windows Update job error. It allows for investigation of top errors. + +The following fields are available: + +- **cdnIp** The IP Address of the source CDN (Content Delivery Network). +- **doErrorCode** Error code returned for delivery optimization. +- **errorCode** The error code returned. +- **experimentId** When running a test, this is used to correlate with other events that are part of the same test. +- **fileID** The ID of the file being downloaded. +- **jobID** The Windows Update job ID. + + +## Windows Update events + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary + +This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **activated** Whether the entire device manifest update is considered activated and in use. +- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis. +- **flightId** Unique ID for each flight. +- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system. +- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system. +- **objectId** Unique value for each diagnostics session. +- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** Indicates the update scenario. +- **sessionId** Unique value for each update session. +- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on. +- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string. +- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string. +- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string. +- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices. +- **updateId** Unique ID for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit + +This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** The unique GUID for each diagnostics session. +- **relatedCV** A correlation vector value generated from the latest USO scan. +- **result** Outcome of the initialization of the session. +- **scenarioId** Identifies the Update scenario. +- **sessionId** The unique value for each update session. +- **updateId** The unique identifier for each Update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest + +This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted. +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **objectId** Unique value for each Update Agent mode. +- **packageCountOptional** Number of optional packages requested. +- **packageCountRequired** Number of required packages requested. +- **packageCountTotal** Total number of packages needed. +- **packageCountTotalCanonical** Total number of canonical packages. +- **packageCountTotalDiff** Total number of diff packages. +- **packageCountTotalExpress** Total number of express packages. +- **packageSizeCanonical** Size of canonical packages in bytes. +- **packageSizeDiff** Size of diff packages in bytes. +- **packageSizeExpress** Size of express packages in bytes. +- **rangeRequestState** Represents the state of the download range request. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the download request phase of update. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize + +This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current session initialization. +- **flightId** The unique identifier for each flight. +- **flightMetadata** Contains the FlightId and the build being flighted. +- **objectId** Unique value for each Update Agent mode. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios). +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique ID for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall + +This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **errorCode** The error code returned for the current install phase. +- **flightId** The unique identifier for each flight. +- **objectId** The unique identifier for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **result** Outcome of the install phase of the update. +- **scenarioId** The unique identifier for the update scenario. +- **sessionId** The unique identifier for each update session. +- **updateId** The unique identifier for each update. + + +### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart + +This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages. + +The following fields are available: + +- **flightId** The unique identifier for each flight. +- **mode** The mode that is starting. +- **objectId** The unique value for each diagnostics session. +- **relatedCV** Correlation vector value generated from the latest USO scan. +- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate. +- **sessionId** Unique value for each Update Agent mode attempt. +- **updateId** Unique identifier for each update. + + +### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed + +This event indicates that a notification dialog box is about to be displayed to user. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown. +- **DaysSinceRebootRequired** Number of days since restart was required. +- **DeviceLocalTime** The local time on the device sending the event. +- **EngagedModeLimit** The number of days to switch between DTE dialog boxes. +- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode. +- **ETag** OneSettings versioning value. +- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device. +- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device. +- **NotificationUxState** Indicates which dialog box is shown. +- **NotificationUxStateString** Indicates which dialog box is shown. +- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced). +- **RebootVersion** Version of DTE. +- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog + +This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.. + +The following fields are available: + +- **DeviceLocalTime** The local time on the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog + +This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** The local time of the device sending the event. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that the user chose in this dialog box. +- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog + +This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed. + +The following fields are available: + +- **DeviceLocalTime** Time the dialog box was shown on the local device. +- **ETag** OneSettings versioning value. +- **ExitCode** Indicates how users exited the dialog box. +- **RebootVersion** Version of DTE. +- **UpdateId** The ID of the update that is pending restart to finish installation. +- **UpdateRevision** The revision of the update that is pending restart to finish installation. +- **UserResponseString** The option that user chose in this dialog box. +- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time. + + +### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootReminderDialog + +This event returns information relating to the Enhanced Engaged reboot reminder dialog that was displayed. + +The following fields are available: + +- **DeviceLocalTime** The time at which the reboot reminder dialog was shown (based on the local device time settings). +- **ETag** The OneSettings versioning value. +- **ExitCode** Indicates how users exited the reboot reminder dialog box. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. +- **UserResponseString** The option chosen by the user on the reboot dialog box. +- **UtcTime** The time at which the reboot reminder dialog was shown (in UTC). + + +### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy + +This event indicates a policy is present that may restrict update activity to outside of active hours. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours + +This event indicates that update activity was blocked because it is within the active hours window. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel + +This event indicates that Windows Update activity was blocked due to low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** Device ID. + + +### Microsoft.Windows.Update.Orchestrator.DeferRestart + +This event indicates that a restart required for installing updates was postponed. + +The following fields are available: + +- **displayNeededReason** List of reasons for needing display. +- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.). +- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery). +- **gameModeReason** Name of the executable that caused the game mode state check to start. +- **ignoredReason** List of reasons that were intentionally ignored. +- **IgnoreReasonsForRestart** List of reasons why restart was deferred. +- **revisionNumber** Update ID revision number. +- **systemNeededReason** List of reasons why system is needed. +- **updateId** Update ID. +- **updateScenarioType** Update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Detection + +This event indicates that a scan for a Windows Update occurred. + +The following fields are available: + +- **deferReason** Reason why the device could not check for updates. +- **detectionBlockingPolicy** State of update action. +- **detectionBlockreason** Reason for detection not completing. +- **detectionRetryMode** Indicates whether we will try to scan again. +- **errorCode** The returned error code. +- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session was user initiated. +- **networkStatus** Error info +- **revisionNumber** Update revision number. +- **scanTriggerSource** Source of the triggered scan. +- **updateId** Update ID. +- **updateScenarioType** Update Session type +- **wuDeviceid** Device ID + + +### Microsoft.Windows.Update.Orchestrator.DisplayNeeded + +This event indicates the reboot was postponed due to needing a display. + +The following fields are available: + +- **displayNeededReason** Reason the display is needed. +- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue + + +### Microsoft.Windows.Update.Orchestrator.Download + +This event sends launch data for a Windows Update download to help keep Windows up to date. + +The following fields are available: + +- **deferReason** Reason for download not completing. +- **errorCode** An error code represented as a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the session is user initiated. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit + +This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUEnabled + +This event indicates that Inbox DTU functionality was enabled. + +The following fields are available: + +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.DTUInitiated + +This event indicates that Inbox DTU functionality was intiated. + +The following fields are available: + +- **dtuErrorCode** Return code from creating the DTU Com Server. +- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on. +- **wuDeviceid** Device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask + +This event indicated that USO failed to add a trigger time to a task. + +The following fields are available: + +- **errorCode** The Windows Update error code. +- **wuDeviceid** The Windows Update device ID. + + +### Microsoft.Windows.Update.Orchestrator.FlightInapplicable + +This event indicates that the update is no longer applicable to this device. + +The following fields are available: + +- **EventPublishedTime** Time when this event was generated. +- **flightID** The specific ID of the Windows Insider build. +- **revisionNumber** Update revision number. +- **updateId** Unique Windows Update ID. +- **updateScenarioType** Update session type. +- **UpdateStatus** Last status of update. +- **UUPFallBackConfigured** Indicates whether UUP fallback is configured. +- **wuDeviceid** Unique Device ID. + + +### Microsoft.Windows.Update.Orchestrator.InitiatingReboot + +This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date. + +The following fields are available: + +- **EventPublishedTime** Time of the event. +- **flightID** Unique update ID +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours. +- **revisionNumber** Revision number of the update. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.Indicates the exact state of the user experience at the time the required reboot was initiated. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.Install + +This event sends launch data for a Windows Update install to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **errorCode** The error code reppresented by a hexadecimal value. +- **eventScenario** End-to-end update session ID. +- **flightID** Unique update ID +- **flightUpdate** Indicates whether the update is a Windows Insider build. +- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates. +- **IgnoreReasonsForRestart** The reason(s) a Postpone Restart command was ignored. +- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress. +- **installRebootinitiatetime** The time it took for a reboot to be attempted. +- **interactive** Identifies if session is user initiated. +- **minutesToCommit** The time it took to install updates. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.LowUptimes + +This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure. + +The following fields are available: + +- **availableHistoryMinutes** The number of minutes available from the local machine activity history. +- **isLowUptimeMachine** Is the machine considered low uptime or not. +- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime. +- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime. +- **uptimeMinutes** Number of minutes of uptime measured. +- **wuDeviceid** Unique device ID for Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.OneshotUpdateDetection + +This event returns data about scans initiated through settings UI, or background scans that are urgent; to help keep Windows up to date. + +The following fields are available: + +- **externalOneshotupdate** The last time a task-triggered scan was completed. +- **interactiveOneshotupdate** The last time an interactive scan was completed. +- **oldlastscanOneshotupdate** The last time a scan completed successfully. +- **wuDeviceid** The Windows Update Device GUID (Globally-Unique ID). + + +### Microsoft.Windows.Update.Orchestrator.PreShutdownStart + +This event is generated before the shutdown and commit operations. + +The following fields are available: + +- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue. + + +### Microsoft.Windows.Update.Orchestrator.RebootFailed + +This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date. + +The following fields are available: + +- **batteryLevel** Current battery capacity in mWh or percentage left. +- **deferReason** Reason for install not completing. +- **EventPublishedTime** The time that the reboot failure occurred. +- **flightID** Unique update ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours. +- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RefreshSettings + +This event sends basic data about the version of upgrade settings applied to the system to help keep Windows up to date. + +The following fields are available: + +- **errorCode** Hex code for the error message, to allow lookup of the specific error. +- **settingsDownloadTime** Timestamp of the last attempt to acquire settings. +- **settingsETag** Version identifier for the settings. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask + +This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date. + +The following fields are available: + +- **RebootTaskMissedTimeUTC** The time when the reboot task was scheduled to run, but did not. +- **RebootTaskNextTimeUTC** The time when the reboot task was rescheduled for. +- **RebootTaskRestoredTime** Time at which this reboot task was restored. +- **wuDeviceid** Device ID for the device on which the reboot is restored. + + +### Microsoft.Windows.Update.Orchestrator.ScanTriggered + +This event indicates that Update Orchestrator has started a scan operation. + +The following fields are available: + +- **errorCode** The error code returned for the current scan operation. +- **eventScenario** Indicates the purpose of sending this event. +- **interactive** Indicates whether the scan is interactive. +- **isDTUEnabled** Indicates whether DTU (internal abbreviation for Direct Feature Update) channel is enabled on the client system. +- **isScanPastSla** Indicates whether the SLA has elapsed for scanning. +- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan. +- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA. +- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA. +- **scanTriggerSource** Indicates what caused the scan. +- **updateScenarioType** The update session type. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.StickUpdate + +This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.SystemNeeded + +This event sends data about why a device is unable to reboot, to help keep Windows up to date. + +The following fields are available: + +- **eventScenario** End-to-end update session ID. +- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours. +- **revisionNumber** Update revision number. +- **systemNeededReason** List of apps or tasks that are preventing the system from restarting. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours + +This event indicates that update activity was stopped due to active hours starting. + +The following fields are available: + +- **activeHoursEnd** The end of the active hours window. +- **activeHoursStart** The start of the active hours window. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel + +This event is sent when update activity was stopped due to a low battery level. + +The following fields are available: + +- **batteryLevel** The current battery charge capacity. +- **batteryLevelThreshold** The battery capacity threshold to stop update activity. +- **updatePhase** The current state of the update process. +- **wuDeviceid** The device identifier. + + +### Microsoft.Windows.Update.Orchestrator.UnstickUpdate + +This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. + +The following fields are available: + +- **updateId** Identifier associated with the specific piece of content. +- **wuDeviceid** Unique device ID controlled by the software distribution client. + + +### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh + +This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date. + +The following fields are available: + +- **configuredPoliciescount** Number of policies on the device. +- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight). +- **policyCacherefreshtime** Time when policy cache was refreshed. +- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired + +This event sends data about whether an update required a reboot to help keep Windows up to date. + +The following fields are available: + +- **flightID** The specific ID of the Windows Insider build the device is getting. +- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action. +- **revisionNumber** Update revision number. +- **updateId** Update ID. +- **updateScenarioType** The update session type. +- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date. +- **wuDeviceid** Unique device ID used by Windows Update. + + +### Microsoft.Windows.Update.Orchestrator.updateSettingsFlushFailed + +This event sends information about an update that encountered problems and was not able to complete. + +The following fields are available: + +- **errorCode** The error code encountered. +- **wuDeviceid** The ID of the device in which the error occurred. + + +### Microsoft.Windows.Update.Orchestrator.UsoSession + +This event represents the state of the USO service at start and completion. + +The following fields are available: + +- **activeSessionid** A unique session GUID. +- **eventScenario** The state of the update action. +- **interactive** Is the USO session interactive? +- **lastErrorcode** The last error that was encountered. +- **lastErrorstate** The state of the update when the last error was encountered. +- **sessionType** A GUID that refers to the update session type. +- **updateScenarioType** A descriptive update session type. +- **wuDeviceid** The Windows Update device GUID. + + +### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState + +This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. + +The following fields are available: + +- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode. +- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before a Reboot Failed dialog will be shown. +- **DeviceLocalTime** The date and time (based on the device date/time settings) the reboot mode changed. +- **EngagedModeLimit** The number of days to switch between DTE (Direct-to-Engaged) dialogs. +- **EnterAutoModeLimit** The maximum number of days a device can enter Auto Reboot mode. +- **ETag** The Entity Tag that represents the OneSettings version. +- **IsForcedEnabled** Identifies whether Forced Reboot mode is enabled for the device. +- **IsUltimateForcedEnabled** Identifies whether Ultimate Forced Reboot mode is enabled for the device. +- **OldestUpdateLocalTime** The date and time (based on the device date/time settings) this update’s reboot began pending. +- **RebootUxState** Identifies the reboot state: Engaged, Auto, Forced, UltimateForced. +- **RebootVersion** The version of the DTE (Direct-to-Engaged). +- **SkipToAutoModeLimit** The maximum number of days to switch to start while in Auto Reboot mode. +- **UpdateId** The ID of the update that is waiting for reboot to finish installation. +- **UpdateRevision** The revision of the update that is waiting for reboot to finish installation. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded + +This event is sent when a security update has successfully completed. + +The following fields are available: + +- **UtcTime** The Coordinated Universal Time that the restart was no longer needed. + + +### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled + +This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date. + +The following fields are available: + +- **activeHoursApplicable** Indicates whether Active Hours applies on this device. +- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled. +- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action. +- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise. +- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically. +- **rebootState** Current state of the reboot. +- **rebootUsingSmartScheduler** Indicates that the reboot is scheduled by SmartScheduler. +- **revisionNumber** Revision number of the OS. +- **scheduledRebootTime** Time scheduled for the reboot. +- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC. +- **updateId** Identifies which update is being scheduled. +- **wuDeviceid** Unique DeviceID + + +### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask + +This event is sent when MUSE broker schedules a task. + +The following fields are available: + +- **TaskArgument** The arguments with which the task is scheduled. +- **TaskName** Name of the task. + + +### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled + +This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up to date. + +The following fields are available: + +- **activeHoursApplicable** Is the restart respecting Active Hours? +- **IsEnhancedEngagedReboot** TRUE if the reboot path is Enhanced Engaged. Otherwise, FALSE. +- **rebootArgument** The arguments that are passed to the OS for the restarted. +- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours? +- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device. +- **rebootState** The state of the restart. +- **rebootUsingSmartScheduler** TRUE if the reboot should be performed by the Smart Scheduler. Otherwise, FALSE. +- **revisionNumber** The revision number of the OS being updated. +- **scheduledRebootTime** Time of the scheduled reboot +- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time. +- **updateId** The Windows Update device GUID. +- **wuDeviceid** The Windows Update device GUID. + + +## Windows Update mitigation events + +### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages + +This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **MountedImageCount** Number of mounted images. +- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT. +- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. +- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. +- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + +### Mitigation360Telemetry.MitigationCustom.FixupEditionId + +This event sends data specific to the FixupEditionId mitigation used for OS updates. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **EditionIdUpdated** Determine whether EditionId was changed. +- **FlightId** Unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **ProductEditionId** Expected EditionId value based on GetProductInfo. +- **ProductType** Value returned by GetProductInfo. +- **RegistryEditionId** EditionId value in the registry. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each update. +- **WuId** Unique ID for the Windows Update client. + + +## Winlogon events + +### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon + +This event signals the completion of the setup process. It happens only once during the first logon. + + + +## XBOX events + +### Microsoft.Xbox.XamTelemetry.AppActivationError + +This event indicates whether the system detected an activation error in the app. + +The following fields are available: + +- **ActivationUri** Activation URI (Uniform Resource Identifier) used in the attempt to activate the app. +- **AppId** The Xbox LIVE Title ID. +- **AppUserModelId** The AUMID (Application User Model ID) of the app to activate. +- **Result** The HResult error. +- **UserId** The Xbox LIVE User ID (XUID). + + +### Microsoft.Xbox.XamTelemetry.AppActivity + +This event is triggered whenever the current app state is changed by: launch, switch, terminate, snap, etc. + +The following fields are available: + +- **AppActionId** The ID of the application action. +- **AppCurrentVisibilityState** The ID of the current application visibility state. +- **AppId** The Xbox LIVE Title ID of the app. +- **AppPackageFullName** The full name of the application package. +- **AppPreviousVisibilityState** The ID of the previous application visibility state. +- **AppSessionId** The application session ID. +- **AppType** The type ID of the application (AppType_NotKnown, AppType_Era, AppType_Sra, AppType_Uwa). +- **BCACode** The BCA (Burst Cutting Area) mark code of the optical disc used to launch the application. +- **DurationMs** The amount of time (in milliseconds) since the last application state transition. +- **IsTrialLicense** This boolean value is TRUE if the application is on a trial license. +- **LicenseType** The type of licensed used to authorize the app (0 - Unknown, 1 - User, 2 - Subscription, 3 - Offline, 4 - Disc). +- **LicenseXuid** If the license type is 1 (User), this field contains the XUID (Xbox User ID) of the registered owner of the license. +- **ProductGuid** The Xbox product GUID (Globally-Unique ID) of the application. +- **UserId** The XUID (Xbox User ID) of the current user. + + + diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 946372eb72..37a8b7a031 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -157,7 +157,13 @@ The following table defines the endpoints for other diagnostic data services: | Service | Endpoint | | - | - | -| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| [Windows Error Reporting](https://msdn.microsoft.com/library/windows/desktop/bb513641.aspx) | watson.telemetry.microsoft.com | +| | ceuswatcab01.blob.core.windows.net | +| | ceuswatcab02.blob.core.windows.net | +| | eaus2watcab01.blob.core.windows.net | +| | eaus2watcab02.blob.core.windows.net | +| | weus2watcab01.blob.core.windows.net | +| | weus2watcab02.blob.core.windows.net | | [Online Crash Analysis](https://msdn.microsoft.com/library/windows/desktop/ee416349.aspx) | oca.telemetry.microsoft.com | | OneDrive app for Windows 10 | vortex.data.microsoft.com/collect/v1 | @@ -359,7 +365,7 @@ Use the appropriate value in the table below when you configure the management p | Full | Security data, basic system and quality data, enhanced insights and advanced reliability data, and full diagnostics data. | **3** | > [!NOTE] - > When the User Configuration policy is set for Diagnostic Data, this will override the Computer Configuration setting. + > When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. ### Use Group Policy to set the diagnostic data level diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index c0ca7c819c..c3e3209466 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -16,6 +16,7 @@ ms.date: 01/17/2018 **Applies to** +- Windows 10, version 1809 - Windows 10, version 1803 ## Introduction @@ -31,7 +32,9 @@ Before you can use this tool, you must turn on data viewing in the **Settings** **To turn on data viewing** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. -2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.

      ![Location to turn on data viewing](images/ddv-data-viewing.png) +2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn on data viewing](images/ddv-data-viewing.png) ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. @@ -42,7 +45,11 @@ You must start this app from the **Settings** panel. **To start the Diagnostic Data Viewer** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. -2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.

      ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

      -OR-

      Go to **Start** and search for _Diagnostic Data Viewer_. +2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button. + + ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)

      -OR-

      + + Go to **Start** and search for _Diagnostic Data Viewer_. 3. Close the Diagnostic Data Viewer app, use your device as you normally would for a few days, and then open Diagnostic Data Viewer again to review the updated list of diagnostic data. @@ -52,18 +59,32 @@ You must start this app from the **Settings** panel. ### Use the Diagnostic Data Viewer The Diagnostic Data Viewer provides you with the following features to view and filter your device's diagnostic data. -- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.

      Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. +- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft. -- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.

      Selecting an event opens the detailed JSON view, with the matching text highlighted. + Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system. + + ![View your diagnostic events](images/ddv-event-view.png) -- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.

      Selecting a check box lets you filter between the diagnostic event categories. +- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. -- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.

      To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). + Selecting an event opens the detailed JSON view, with the matching text highlighted. -- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.

      Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**. +- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft. + + Selecting a check box lets you filter between the diagnostic event categories. + + ![Filter your diagnostic event categories](images/ddv-event-view-filter.png) + +- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others. + + To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). + +- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events. + + Selecting a specific event in the Diagnostic Data Viewer automatically fills in the field in the Feedback Hub. You can add your comments to the box labeled, **Give us more detail (optional)**. - >[!Important] - >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. + >[!Important] + >All content in the Feedback Hub is publicly viewable. Therefore, make sure you don't put any personal info into your feedback comments. ## Turn off data viewing When you're done reviewing your diagnostic data, you should turn of data viewing. @@ -71,10 +92,27 @@ When you're done reviewing your diagnostic data, you should turn of data viewing **To turn off data viewing** 1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**. -2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.

      ![Location to turn off data viewing](images/ddv-settings-off.png) +2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option. + + ![Location to turn off data viewing](images/ddv-settings-off.png) ## View additional diagnostic data in the View problem reports tool -You can review additional Windows Error Reporting diagnostic data in the **View problem reports** tool. This tool provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. +Available on Windows 1809 and higher, you can review additional Windows Error Reporting diagnostic data in the **View problem reports** page within the Diagnostic Data Viewer. +This page provides you with a summary of various crash reports that are sent to Microsoft as part of Windows Error Reporting. +We use this data to find and fix specific issues that are hard to replicate and to improve the Windows operating system. -**To view your Windows Error Reporting diagnostic data** -1. Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.

      -OR-

      Go to **Start** and search for _Problem Reports_.

      The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.

      ![View problem reports tool with report statuses](images/ddv-problem-reports-screen.png) +You can also use the Windows Error Reporting tool available in the Control Panel. + +**To view your Windows Error Reporting diagnostic data using the Diagnostic Data Viewer** + +Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer. + +![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png) + +**To view your Windows Error Reporting diagnostic data using the Control Panel** + +Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Security and Maintenance** > **Problem Reports**.

      -OR-

      +Go to **Start** and search for _Problem Reports_. +The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft. + +![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png) diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md index 3f4c11004e..e1797ff113 100644 --- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md +++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md @@ -1,15 +1,15 @@ --- description: Use this article to learn more about the enhanced diagnostic data events used by Windows Analytics -title: Windows 10, version 1709 enhanced telemtry events and fields used by Windows Analytics (Windows 10) +title: Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics (Windows 10) keywords: privacy, diagnostic data ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: high -ms.date: 10/16/2017 -author: jaimeo -ms.author: jaimeo +ms.date: 11/9/2018 +author: danihalfin +ms.author: daniha --- @@ -57,6 +57,184 @@ The following fields are available: - **WriteCountAtExit_Sum:** Total number of IO writes for a process when it exited - **WriteSizeInKBAtExit_Sum:** Total size of IO writes for a process when it exited +## Microsoft.Office.TelemetryEngine.IsPreLaunch +Applicable for Office UWP applications. This event is fired when an office application is initiated for the first-time post upgrade/install from the store. This is part of basic diagnostic data, used to track whether a particular session is launch session or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **SessionID:** ID of the session + +## Microsoft.Office.SessionIdProvider.OfficeProcessSessionStart +This event sends basic information upon the start of a new Office session. This is used to count the number of unique sessions seen on a given device. This is used as a heartbeat event to ensure that the application is running on a device or not. In addition, it serves as a critical signal for overall application reliability. + +- **AppSessionGuid:** ID of the session which maps to the process of the application +- **processSessionId:** ID of the session which maps to the process of the application + +## Microsoft.Office.TelemetryEngine.SessionHandOff +Applicable to Win32 Office applications. This event helps us understand whether there was a new session created to handle a user-initiated file open event. It is a critical diagnostic information that is used to derive reliability signal and ensure that the application is working as expected. + +- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **childSessionID:** Id of the session that was created to handle the user initiated file open +- **parentSessionId:** ID of the session that was already running + +## Microsoft.Office.CorrelationMetadata.UTCCorrelationMetadata +Collects Office metadata through UTC to compare with equivalent data collected through the Office telemetry pipeline to check correctness and completeness of data. + +- **abConfigs:** List of features enabled for this session +- **abFlights:** List of features enabled for this session +- **AppSessionGuid:** ID of the session +- **appVersionBuild:** Third part Build version of the application *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRevision:** Fourth part of the version *.*.*.XXXXX +- **audienceGroup:** Is this part of the insiders or production +- **audienceId:** ID of the audience setting +- **channel:** Are you part of Semi annual channel or Semi annual channel-Targeted? +- **deviceClass:** Is this a desktop or a mobile? +- **impressionId:** What features were available to you in this session +- **languageTag:** Language of the app +- **officeUserID:** A unique identifier tied to the office installation on a particular device. +- **osArchitecture:** Is the machine 32 bit or 64 bit? +- **osEnvironment:** Is this a win32 app or a UWP app? +- **osVersionString:** Version of the OS +- **sessionID:** ID of the session + +## Microsoft.Office.ClickToRun.UpdateStatus +Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details). + +- **build:** App version +- **channel:** Is this part of SAC or SAC-T? +- **errorCode:** What error occurred during the upgrade process? +- **errorMessage:** what was the error message during the upgrade process? +- **status:** Was the upgrade successful or not? +- **targetBuild:** What app version were we trying to upgrade to? + +## Microsoft.Office.TelemetryEngine.FirstIdle +This event is fired when the telemetry engine within an office application is ready to send telemetry. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.FirstProcessed +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.FirstRuleRequest +This event is fired when the telemetry engine within an office application has received the first rule or list of events that need to be sent by the app. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.Init +This event is fired when the telemetry engine within an office application has been initialized or not. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.Resume +This event is fired when the application resumes from sleep state. Used for understanding whether there are issues in the application life-cycle. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.RuleRequestFailed +This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.RuleRequestFailedDueToClientOffline +This event is fired when the telemetry engine within an office application fails to retrieve the rules containing the list of telemetry events, when the device is offline. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.ShutdownComplete +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.ShutdownStart +This event is fired when the telemetry engine within an office application been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session + +## Microsoft.Office.TelemetryEngine.SuspendComplete +This event is fired when the telemetry engine within an office application has processed the rules or the list of events that we need to collect. Used for understanding whether there are issues in telemetry. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session +- **SuspendType:** Type of suspend + +## Microsoft.Office.TelemetryEngine.SuspendStart +This event is fired when the office application suspends as per app life-cycle change. Used for understanding whether there are issues in the application life-cycle. + +- **appVersionBuild:** Third part of the version *.*.XXXXX.* +- **appVersionMajor:** First part of the version X.*.*.* +- **appVersionMinor:** Second part of the version *.X.*.* +- **appVersionRev:** Fourth part of the version *.*.*.XXXXX +- **maxSequenceIdSeen:** How many events from this session have seen so far? +- **officeUserID:** This is an ID of the installation tied to the device. It does not map to a particular user +- **rulesSubmittedBeforeResume:** How many events were submitted before the process was resumed? +- **SessionID:** ID of the session +- **SuspendType:** Type of suspend + ## Microsoft.OSG.OSS.CredProvFramework.ReportResultStop This event indicates the result of an attempt to authenticate a user with a credential provider. It helps Microsoft to improve logon reliability. Using this event with Windows Analytics can help organizations monitor and improve logon success for different methods (for example, biometric) on managed devices. @@ -131,33 +309,6 @@ The following fields are available: - **isTrustletRunning:** Indicates whether an enhanced security component is currently running - **isVsmCfg:** Flag indicating whether virtual secure mode is configured or not -## Microsoft.Windows.Security.Certificates.PinRulesCaCertUsedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys) -- **certThumbprint:** Certificate thumbprint - -## Microsoft.Windows.Security.Certificates.PinRulesCheckedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **caThumbprints:** Intermediate certificate thumbprints -- **rootThumbprint:** Root certificate thumbprint -- **serverName:** Server name associated with the certificate -- **serverThumbprint:** Server certificate thumbprint -- **statusBits:** Certificate status - -## Microsoft.Windows.Security.Certificates.PinRulesServerCertUsedAnalytics -The Microsoft.Windows.Security.Certificates.Pin\*Analytics events summarize which server certificates the client encounters. By using this event with Windows Analytics, organizations can use this to determine potential scope and impact of pending certificate revocations or expirations. - -The following fields are available: - -- **certBinary:** Binary blob of public certificate as presented to the client (does not include any private keys) -- **certThumbprint:** Certificate thumbprint - ## Microsoft.Windows.Security.Winlogon.SystemBootStop System boot has completed. @@ -251,7 +402,16 @@ The following fields are available: - **WindowHeight:** Number of vertical pixels in the application window - **WindowWidth:** Number of horizontal pixels in the application window -# Revisions to the diagnostic data events and fields +## Revisions -## PartA_UserSid removed -A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. Note that you can use the Windows Diagnostic Data Viewer to review the contents of the event. +### PartA_UserSid removed +A previous revision of this list stated that a field named PartA_UserSid was a member of the event Microsoft.Windows.LogonController.LogonAndUnlockSubmit. This was incorrect. The list has been updated to reflect that no such field is present in the event. + +### Office events added +In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 16 events were added, describing Office app launch and availability. These events were added to improve the precision of Office data in Windows Analytics. + +### CertAnalytics events removed +In Windows 10, version 1809 (also applies to versions 1709 and 1803 starting with [KB 4462932](https://support.microsoft.com/help/4462932/windows-10-update-kb4462932) and [KB 4462933](https://support.microsoft.com/help/4462933/windows-10-update-kb4462933) respectively), 3 "CertAnalytics" events were removed, as they are no longer required for Windows Analytics. + +>[!NOTE] +>You can use the Windows Diagnostic Data Viewer to observe and review events and their fields as described in this topic. diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index 90fc1a209c..273464ae5a 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -1,5 +1,5 @@ --- -title: Windows 10 and the GDPR for IT Decision Makers +title: Windows and the GDPR-Information for IT Administrators and Decision Makers description: Use this topic to understand the relationship between users in your organization and Microsoft in the context of the GDPR (General Data Protection Regulation). keywords: privacy, GDPR, windows, IT ms.prod: w10 @@ -11,12 +11,17 @@ author: danihalfin ms.author: daniha ms.date: 05/11/2018 --- -# Windows 10 and the GDPR for IT Decision Makers +# Windows and the GDPR: Information for IT Administrators and Decision Makers Applies to: +- Windows 10, version 1809 - Windows 10, version 1803 - Windows 10, version 1709 - Windows 10, version 1703 +- Windows 10 Team Edition, version 1703 for Surface Hub +- Windows Server 2019 +- Windows Server 2016 +- Windows Analytics This topic provides IT Decision Makers with a basic understanding of the relationship between users in an organization and Microsoft in the context of the GDPR (General Data Protection Regulation). You will also learn what role an IT organization plays for that relationship. @@ -35,7 +40,7 @@ Here are some GDPR fundamentals: * The European law establishes strict global data privacy requirements governing how organizations manage and protect personal data while respecting individual choice – no matter where data is sent, processed, or stored. * A request by an individual to an organization to take an action on their personal data is referred to here as a *data subject request*, or *DSR*. -Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR requires significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. +Microsoft believes data privacy is a fundamental right, and that the GDPR is an important step forward for clarifying and enabling individual privacy rights. We also recognize that the GDPR required significant changes by organizations all over the world with regard to the discovery, management, protection, and reporting of personal data that is collected, processed, and stored within an organization. ### What is personal data under the GDPR? @@ -87,7 +92,7 @@ It is important to differentiate between two distinct types of data Windows serv A user action, such as performing a Skype call, usually triggers the collection and transmission of Windows *functional data*. Some Windows components and applications connecting to Microsoft services also exchange Windows functional data to provide user functionality. Some other examples of Windows functional data: -* The Weather app which uses the device’s location to retrieve local weather or community news. +* The Weather app which can use the device’s location to retrieve local weather or community news. * Wallpaper and desktop settings that are synchronized across multiple devices. For more info on how IT Professionals can manage Windows functional data sent from an organization to Microsoft, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). @@ -100,10 +105,10 @@ Some examples of diagnostic data include: * The type of hardware being used, information about installed apps and usage details, and reliability data on drivers running on the device. * For users who have turned on “Tailored experiences”, it can be used to offer personalized tips, ads, and recommendations to enhance Microsoft products and services for the needs of the user. -To find more about what information is collected, how it is handled, and the available Windows diagnostic data levels, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data) and [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). +Diagnostic data is categorized into the levels "Security", "Basic", "Enhanced", and "Full". For a detailed discussion about these diagnostic data levels please see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). To find more about what information is collected and how it is handled, see [Understanding Windows diagnostic data](configure-windows-diagnostic-data-in-your-organization.md#understanding-windows-diagnostic-data). >[!IMPORTANT] ->Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data to the respective publisher. Please contact them for further guidance on how to control the diagnostic data collection level and transmission of these publishers. +>Other Microsoft services as well as 3rd party applications and drivers running on Windows devices may implement their own functionality, independently from Windows, to transport their diagnostic data. Please contact the publisher for further guidance on how to control the diagnostic data collection level and transmission of these applications and services. ### Windows services where Microsoft is the processor under the GDPR @@ -123,7 +128,7 @@ As a result, in terms of the GDPR, the organization that has subscribed to Windo >The IT organization must explicitly enable Windows Analytics for a device after the organization subscribes. >[!IMPORTANT] ->Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for a particular device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. +>Windows Analytics does not collect Windows Diagnostic data by itself. Instead, Windows Analytics only uses a subset of Windows Diagnostic data that is collected by Windows for an enrolled device. The Windows Diagnostic data collection is controlled by the IT department of an organization or the user of a device. #### Windows Defender ATP @@ -140,27 +145,43 @@ The following table lists in what GDPR mode – controller or processor – Wind | Service | Microsoft GDPR mode of operation | | --- | --- | -| Windows Functional data | Controller | +| Windows Functional data | Controller or Processor* | | Windows Diagnostic data | Controller | | Windows Analytics | Processor | | Windows Defender Advanced Threat Detection (ATP) | Processor | *Table 1: Windows 10 GDPR modes of operations for different Windows 10 services* -## Recommended diagnostic data level settings +*/*Depending on which application/feature this is referring to.* -Windows diagnostic data collection level can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. +## Windows diagnostic data and Windows 10 -* For Windows 10, version 1803, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). Those organizations who wish to share the smallest set of events for Windows Analytics can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” filtering mechanism that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +### Recommended Windows 10 settings + +Windows diagnostic data collection level for Windows 10 can be set by a user in Windows (*Start > Settings > Privacy > Diagnostics & feedback*) or by the IT department of an organization, using Group Policy or Mobile Device Management (MDM) techniques. + +* For Windows 10, version 1803 and version 1809, Microsoft recommends setting the Windows diagnostic level to “Enhanced”. This enables organizations to get the full functionality of [Windows Analytics](#windows-analytics). >[!NOTE] >For more information on the Enhanced level, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). * For Windows 10, version 1709, and Windows 10, version 1703, the recommended Windows diagnostic level configuration for EEA and Switzerland commercial users is “Basic”. -* For Windows 7, Microsoft recommends configuring enterprise devices for Windows Analytics to facilitate upgrade planning to Windows 10. +>[!NOTE] +>For Windows 7, Microsoft recommends [configuring enterprise devices for Windows Analytics](/windows/deployment/update/windows-analytics-get-started) to facilitate upgrade planning to Windows 10. -## Controlling the data collection and notification about it +### Additional information for Windows Analytics + +Some Windows Analytics solutions and functionality, such as Update Compliance, works with “Basic” as minimum Windows diagnostic level. Other solutions and functionality of Windows Analytics, such as Device Health, require “Enhanced”. + +Those organizations who wish to share the smallest set of events for Windows Analytics and have set the Windows diagnostic level to “Enhanced” can use the “Limit Enhanced diagnostic data to the minimum required by Windows Analytics” setting. This filtering mechanism was that Microsoft introduced in Windows 10, version 1709. When enabled, this feature limits the operating system diagnostic data events included in the Enhanced level to the smallest set of data required by Windows Analytics. + +>[!NOTE] +>Additional information can be found at [Windows Analytics and privacy](/windows/deployment/update/windows-analytics-privacy +). + +## Controlling Windows 10 data collection and notification about it Windows 10 sends diagnostic data to Microsoft services, and some of that data can contain personal data. Both the user and the IT organization have the ability to control the transmission of that data to Microsoft. @@ -200,26 +221,59 @@ IT Professionals that are interested in this configuration, see [Windows 10 pers To find out more about the network connections that Windows components make to Microsoft as well as the privacy settings that affect data shared with either Microsoft or apps, see [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) and [Manage Windows 10 connection endpoints](manage-windows-endpoints.md). These articles describe how these settings can be managed by an IT Professional. -## At-a-glance: the relationship between an IT organization and the GDPR +### At-a-glance: the relationship between an IT organization and the GDPR Because Microsoft is a controller for data collected by Windows 10, the user can work with Microsoft to satisfy GDPR requirements. While this relationship between Microsoft and a user is evident in a consumer scenario, an IT organization can influence that relationship in an enterprise scenario. For example, the IT organization has the ability to centrally configure the Windows diagnostic data level by using Group Policy or MDM settings. +## Windows Server + +Windows Server follows the same mechanisms as Windows 10 for handling of personal data – for example, when collecting Windows diagnostic data. + +More detailed information about Windows Server and the GDPR is available at Beginning your General Data Protection Regulation (GDPR) journey for Windows Server. + +### Windows diagnostic data and Windows Server + +The lowest diagnostic data setting level supported on Windows Server 2016 and Windows Server 2019 through management policies is “Security”. The lowest diagnostic data setting supported through the Settings UI is “Basic”. The default diagnostic data level for all Windows Server 2016 and Windows Server 2019 editions is “Enhanced”. + +IT administrators can configure the Windows Server diagnostic data settings using familiar management tools, such as Group Policy, MDM, or Windows Provisioning. IT administrators can also manually change settings using Registry Editor. Setting the Windows Server diagnostic data levels through a management policy overrides any device-level settings. + +There are two options for deleting Windows diagnostic data from a Windows Server machine: + +- If the “Desktop Experience” option was chosen during the installation of Windows Server 2019, then there are the same options available for an IT administrator that end users have with Windows 10, version 1803 and version 1809, to submit a request for deleting that device’s diagnostic data. This is done by clicking the **Delete** button in the **Delete diagnostic data** section of **Start > Settings > Privacy > Diagnostics & feedback**. +- Microsoft has provided a [PowerShell cmdlet](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata) that IT administrators can use to delete Windows diagnostic data via the command line on a machine running Windows Server 2016 or Windows Server 2019. This cmdlet provides the same functionality for deleting Windows diagnostic data as with Desktop Experience on Windows Server 2019. For more information, see [the PowerShell Gallery](https://www.powershellgallery.com/packages/WindowsDiagnosticData). + +### Backups and Windows Server + +Backups, including live backups and backups that are stored locally within an organization or in the cloud, can contain personal data. + +- Backups an organizations creates, for example by using Windows Server Backup (WSB), are under its control. For example, for exporting personal data contained in a backup, the organization needs to restore the appropriate backup sets to facilitate the respective data subject request (DSR). +- The GDPR also applies when storing backups in the cloud. For example, an organization can use Microsoft Azure Backup to backup files and folders from physical or virtual Windows Server machines (located on-premises or in Azure) to the cloud. The organization that is subscribed to this backup service also has the obligation to restore the data in order to exercise the respective DSR. + +## Windows 10 Team Edition, Version 1703 for Surface Hub + +Surface Hub is a shared device used within an organization. The device identifier collected as part of diagnostic data is not connected to a user. For removing Windows diagnostic data sent to Microsoft for a Surface Hub, Microsoft created the Surface Hub Delete Diagnostic Data tool available in the Microsoft Store. + +>[!NOTE] +>Additional apps running on the device, that are not delivered as part of the in-box experience of Surface Hub, may implement their own diagnostic data collection and transmission functionality independently to collect and process personal data. Please contact the app publisher for further guidance on how to control this. + +An IT administrator can configure privacy- related settings, such as setting the Windows diagnostic data level to Basic. Surface Hub does not support group policy for centralized management; however, IT administrators can use MDM to apply these settings to Surface Hub. For more information about Surface Hub and MDM, please see [Manage settings with an MDM provider](https://docs.microsoft.com/surface-hub/manage-settings-with-mdm-for-surface-hub). + ## Further reading ### Optional settings / features that further improve the protection of personal data -Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure). +Personal data protection is one of the goals of the GDPR. One way of improving personal data protection is to use the modern and advanced security features of Windows 10. An IT organization can learn more at [Mitigate threats by using Windows 10 security features](/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10) and [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure). >[!NOTE] >Some of these features might require a particular Windows hardware, such as a computer with a Trusted Platform Module (TPM) chip, and can depend on a particular Windows product (such as Windows 10 E5). ### Windows Security Baselines -Microsoft has created Windows Security Baselines to efficiently configure Windows 10. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). +Microsoft has created Windows Security Baselines to efficiently configure Windows 10 and Windows Server. For more information, please visit [Windows Security Baselines](/windows/security/threat-protection/windows-security-baselines). ### Windows Restricted Traffic Limited Functionality Baseline -To make it easier to deploy settings that restrict connections from Windows 10 to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). +To make it easier to deploy settings that restrict connections from Windows 10 and Windows Server to Microsoft, IT Professionals can apply the Windows Restricted Traffic Limited Functionality Baseline, available [here](https://go.microsoft.com/fwlink/?linkid=828887). >[!IMPORTANT] >Some of the settings of the Windows Restricted Traffic Limited Functionality Baseline will reduce the functionality and security configuration of a device in the organization and are therefore not recommended. diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index c7dd56e8df..a8a0214f4a 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -293,7 +293,7 @@ For example, employees can’t send protected work files from a personal email a #### Capabilities to classify, assign permissions and share data Windows Information Protection is designed to coexist with advanced data loss prevention (DLP) capabilities found in Office 365 ProPlus, Azure Information Protection, and Azure Rights Management. Advanced DLP prevents printing, for example, or protects work data that is emailed outside your company. -To continously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. +To continuously protect your data, regardless of where it is stored, with whom it is shared, or if the device is running iOS, Android or Windows, the classification and protection needs to be built into the file itself, so this protection can travel with the data wherever it goes. Microsoft Azure Information Protection (AIP) is designed to provide this persistent data protection both on-premises and in the cloud. Data classification is an important part of any data governance plan. Adopting a classification scheme that applies throughout your business can be particularly helpful in responding to what the GDPR calls data subject (for example, your EU employee or customer) requests, because it enables enterprises to identify more readily and process personal data requests. @@ -307,19 +307,19 @@ Azure Information Protection also helps your users share sensitive data in a sec ## Related content for associated Windows 10 solutions -- **Windows Hello for Business:** https://www.youtube.com/watch?v=WOvoXQdj-9E and https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification +- **Windows Hello for Business:** https://www.youtube.com/watch?v=WOvoXQdj-9E and https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-identity-verification -- **Windows Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10 +- **Windows Defender Antivirus:** https://www.youtube.com/watch?v=P1aNEy09NaI and https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10 -- **Windows Defender Advanced Threat Protection:** https://www.youtube.com/watch?v=qxeGa3pxIwg and https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection +- **Windows Defender Advanced Threat Protection:** https://www.youtube.com/watch?v=qxeGa3pxIwg and https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection -- **Windows Defender Device Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide +- **Windows Defender Device Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide -- **Windows Defender Credential Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard +- **Windows Defender Credential Guard:** https://www.youtube.com/watch?v=F-pTkesjkhI and https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard -- **Windows Information Protection:** https://www.youtube.com/watch?v=wLkQOmK7-Jg and https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip +- **Windows Information Protection:** https://www.youtube.com/watch?v=wLkQOmK7-Jg and https://docs.microsoft.com/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip -- Windows 10 Security Guide: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-10-security-guide +- Windows 10 Security Guide: https://technet.microsoft.com/itpro/windows/keep-secure/windows-10-security-guide ## Disclaimer This article is a commentary on the GDPR, as Microsoft interprets it, as of the date of publication. We’ve spent a lot of time with GDPR and like to think we’ve been thoughtful about its intent and meaning. But the application of GDPR is highly fact-specific, and not all aspects and interpretations of GDPR are well-settled. @@ -332,4 +332,4 @@ This article does not provide you with any legal rights to any intellectual prop Published September 2017
      Version 1.0
      -© 2017 Microsoft. All rights reserved. \ No newline at end of file +© 2017 Microsoft. All rights reserved. diff --git a/windows/privacy/images/ddv-problem-reports-screen.png b/windows/privacy/images/control-panel-problem-reports-screen.png similarity index 100% rename from windows/privacy/images/ddv-problem-reports-screen.png rename to windows/privacy/images/control-panel-problem-reports-screen.png diff --git a/windows/privacy/images/ddv-event-feedback.png b/windows/privacy/images/ddv-event-feedback.png index 393a0514b3..61c1c15e99 100644 Binary files a/windows/privacy/images/ddv-event-feedback.png and b/windows/privacy/images/ddv-event-feedback.png differ diff --git a/windows/privacy/images/ddv-event-view-basic.png b/windows/privacy/images/ddv-event-view-basic.png index 6d629af194..5668e13bec 100644 Binary files a/windows/privacy/images/ddv-event-view-basic.png and b/windows/privacy/images/ddv-event-view-basic.png differ diff --git a/windows/privacy/images/ddv-event-view-filter.png b/windows/privacy/images/ddv-event-view-filter.png index b463a8d6cc..addd53271d 100644 Binary files a/windows/privacy/images/ddv-event-view-filter.png and b/windows/privacy/images/ddv-event-view-filter.png differ diff --git a/windows/privacy/images/ddv-event-view.png b/windows/privacy/images/ddv-event-view.png index 8bb2319afb..264add2d9c 100644 Binary files a/windows/privacy/images/ddv-event-view.png and b/windows/privacy/images/ddv-event-view.png differ diff --git a/windows/privacy/images/ddv-export.png b/windows/privacy/images/ddv-export.png new file mode 100644 index 0000000000..25e62858db Binary files /dev/null and b/windows/privacy/images/ddv-export.png differ diff --git a/windows/privacy/images/ddv-problem-reports.png b/windows/privacy/images/ddv-problem-reports.png new file mode 100644 index 0000000000..49ae0fffc0 Binary files /dev/null and b/windows/privacy/images/ddv-problem-reports.png differ diff --git a/windows/privacy/index.yml b/windows/privacy/index.yml index b600667ee2..c0af2a06c7 100644 --- a/windows/privacy/index.yml +++ b/windows/privacy/index.yml @@ -144,7 +144,7 @@ sections: html:

      Windows 10 on Trust Center

      -

      GDPR on Microsoft 365 Compliance solutions

      +

      GDPR on Microsoft 365 Compliance solutions

      Support for GDPR Accountability on Service Trust Portal

      \ No newline at end of file diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md new file mode 100644 index 0000000000..ee8ecf4a8b --- /dev/null +++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md @@ -0,0 +1,92 @@ +--- +title: MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL +description: MICROSOFT SOFTWARE LICENSE TERMS +keywords: privacy, license, terms +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 11/16/2018 +robots: noindex,nofollow +--- + +MICROSOFT SOFTWARE LICENSE TERMS + +MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL + + + +These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS. + +1. INSTALLATION AND USE RIGHTS. + +a) General. You may install and use any number of copies of the software. + +b) Third Party Software. The software may include third party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third party applications are for your information only. + +2. DATA COLLECTION. The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve Microsoft’s products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software. If you use these features to enable data collection in your applications, you must comply with applicable law, including getting any required user consent, and maintain a prominent privacy policy that accurately informs users about how you use, collect, and share their data. You can learn more about Microsoft’s data collection and use in the product documentation and the Microsoft Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=512132. You agree to comply with all applicable provisions of the Microsoft Privacy Statement. + +3. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to): + +a) work around any technical limitations in the software that only allow you to use it in certain ways; + +b) reverse engineer, decompile or disassemble the software; + +c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software; + +d) use the software in any way that is against the law or to create or propagate malware; or + +e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party. + +4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit http://aka.ms/exporting. + +5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind. + +6. ENTIRE AGREEMENT. This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software. + +7. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES. If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court. + +8. CONSUMER RIGHTS; REGIONAL VARIATIONS. This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you: + +a) Australia. You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights. + +b) Canada. If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you re-connect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software. + +c) Germany and Austria. + +i. Warranty. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software. + +ii. Limitation of Liability. In case of intentional conduct, gross negligence, claims based on the Product Liability Act, as well as, in case of death or personal or physical injury, Microsoft is liable according to the statutory law. + +Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence. + +9. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. + +10. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES. + +This limitation applies to (a) anything related to the software, services, content (including code) on third party Internet sites, or third party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law. + +It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages. + + + +Please note: As this software is distributed in Canada, some of the clauses in this agreement are provided below in French. + +Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français. + +EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues. + +LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices. + +Cette limitation concerne: + +• tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et + +• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur. + +Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre égard. + +EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas. \ No newline at end of file diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 7287abf932..757bf80259 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -16,8 +16,9 @@ ms.date: 06/05/2018 **Applies to** -- Windows 10 Enterprise, version 1607 and newer -- Windows Server 2016 +- Windows 10 Enterprise, version 1607 and newer +- Windows Server 2016 +- Windows Server 2019 If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). @@ -43,6 +44,12 @@ Note that **Get Help** and **Give us Feedback** links no longer work after the W We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +## What's new in Windows 10, version 1809 Enterprise edition + +Here's a list of changes that were made to this article for Windows 10, version 1809: + +- Added a policy to disable Windows Defender SmartScreen + ## What's new in Windows 10, version 1803 Enterprise edition Here's a list of changes that were made to this article for Windows 10, version 1803: @@ -74,17 +81,17 @@ Here's a list of changes that were made to this article for Windows 10, version - Added the following Group Policies: - - Prevent managing SmartScreen Filter - - Turn off Compatibility View - - Turn off Automatic Download and Install of updates - - Do not connect to any Windows Update locations - - Turn off access to all Windows Update features - - Specify Intranet Microsoft update service location - - Enable Windows NTP client - - Turn off Automatic download of the ActiveX VersionList - - Allow Automatic Update of Speech Data - - Accounts: Block Microsoft Accounts - - Do not use diagnostic data for tailored experiences + - Prevent managing SmartScreen Filter + - Turn off Compatibility View + - Turn off Automatic Download and Install of updates + - Do not connect to any Windows Update locations + - Turn off access to all Windows Update features + - Specify Intranet Microsoft update service location + - Enable Windows NTP client + - Turn off Automatic download of the ActiveX VersionList + - Allow Automatic Update of Speech Data + - Accounts: Block Microsoft Accounts + - Do not use diagnostic data for tailored experiences ## Management options for each setting @@ -99,19 +106,19 @@ The following table lists management options for each setting, beginning with Wi | Setting | UI | Group Policy | MDM policy | Registry | Command line | | - | :-: | :-: | :-: | :-: | :-: | -| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | | | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | -| [5. Find My Device](#find-my-device) | | ![Check mark](images/checkmark.png) | | | | -| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | -| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | @@ -142,6 +149,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | | [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | @@ -202,6 +210,63 @@ See the following table for a summary of the management settings for Windows Ser | [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | | +### Settings for Windows Server 2019 + +See the following table for a summary of the management settings for Windows Server 2019. + +| Setting | UI | Group Policy | MDM policy | Registry | Command line | +| - | :-: | :-: | :-: | :-: | :-: | +| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [2. Cortana and Search](#bkmk-cortana) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [8. Internet Explorer](#bkmk-ie) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [9. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [10. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [11. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [12. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [13. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [14. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [15. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [16. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [17. Settings > Privacy](#bkmk-settingssection) | | | | | | +|     [17.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)| ![Check mark](images/checkmark.png) | | +|     [17.6 Speech, inking, & typing](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | +|     [17.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [17.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [18. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [19. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | | | | +| [20. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [21. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [22. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +| [23. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +|     [23.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [24. Windows Media Player](#bkmk-wmp) | ![Check mark](images/checkmark.png) | | | | ![Check mark](images/checkmark.png) | +| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) | | +|     [26.1 Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | | | +| [27. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | +| [28. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | | + ## How to configure each setting Use the following sections for more information about how to configure each setting. @@ -219,18 +284,18 @@ For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server - Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Automatic Root Certificates Update** - -and- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. 3. On the **Network Retrieval** tab, select the **Define these policy settings** check box. 4. Clear the **Automatically update certificates in the Microsoft Root Certificate Program (recommended)** check box, and then click **OK**. - -or- + -or- - Create the registry path **HKEY\_LOCAL\_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot** and then add a REG\_DWORD registry setting, named **DisableRootAutoUpdate**, with a value of 1. - -and- + -and- 1. Navigate to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies**. 2. Double-click **Certificate Path Validation Settings**. @@ -294,11 +359,11 @@ In Windows 10, version 1507 and Windows 10, version 1511, when you enable the ** 9. Configure the **Protocols and Ports** page with the following info, and then click **OK**. - - For **Protocol type**, choose **TCP**. + - For **Protocol type**, choose **TCP**. - - For **Local port**, choose **All Ports**. + - For **Local port**, choose **All Ports**. - - For **Remote port**, choose **All ports**. + - For **Remote port**, choose **All ports**. If your organization tests network traffic, do not use a network proxy as Windows Firewall does not block proxy traffic. Instead, use a network traffic analyzer. Based on your needs, there are many network traffic analyzers available at no cost. @@ -316,39 +381,47 @@ For Windows 10 only, the following Cortana MDM policies are available in the [Po You can prevent Windows from setting the time automatically. -- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** +- To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically** - -or- + -or- -- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. +- Create a REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\Parameters\\Type** with a value of **NoSync**. After that, configure the following: -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** > [!NOTE] > This is only available on Windows 10, version 1703 and later. If you're using Windows 10, version 1607, the Group Policy setting is **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client** - -or - + -or - - Create a new REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\W32time\\TimeProviders\\NtpClient** and set it to 0 (zero). ### 4. Device metadata retrieval -To prevent Windows from retrieving device metadata from the Internet, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. +To prevent Windows from retrieving device metadata from the Internet: -You can also create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**. + + -or - + +- Create a new REG\_DWORD registry setting named **PreventDeviceMetadataFromNetwork** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Device Metadata** and set it to 1 (one). + + -or - + +- Apply the DeviceInstallation/PreventDeviceMetadataFromNetwork MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventdevicemetadatafromnetwork). ### 5. Find My Device To turn off Find My Device: -- Turn off the feature in the UI +- Turn off the feature in the UI - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** +- Disable the Group Policy: **Computer Configuration** > **Administrative Template** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device** You can also create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FindMyDevice\\AllowFindMyDevice** to 0 (zero). @@ -364,9 +437,9 @@ If you're running Windows 10, version 1607, Windows Server 2016, or later: - In Windows 10, version 1703, you can apply the System/AllowFontProviders MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **false**. Font streaming is disabled. + - **false**. Font streaming is disabled. - - **true**. Font streaming is enabled. + - **true**. Font streaming is enabled. If you're running Windows 10, version 1507 or Windows 10, version 1511, create a REG\_DWORD registry setting named **DisableFontProviders** in **HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Services\\FontCache\\Parameters** with a value of 1. @@ -393,35 +466,35 @@ To turn off Insider Preview builds for Windows 10: > [!NOTE] > If you're running a preview version of Windows 10, you must roll back to a released version before you can turn off Insider Preview builds. -- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. +- Turn off the feature in the UI: **Settings** > **Update & security** > **Windows Insider Program** > **Stop Insider Preview builds**. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**. - -or - + -or - - Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero) - -or- + -or- -- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: +- Apply the System/AllowBuildPreview MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **0**. Users cannot make their devices available for downloading and installing preview software. + - **0**. Users cannot make their devices available for downloading and installing preview software. - - **1**. Users can make their devices available for downloading and installing preview software. + - **1**. Users can make their devices available for downloading and installing preview software. - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. - -or- + -or- -- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: +- Create a provisioning package: **Runtime settings** > **Policies** > **System** > **AllowBuildPreview**, where: - - **0**. Users cannot make their devices available for downloading and installing preview software. + - **0**. Users cannot make their devices available for downloading and installing preview software. - - **1**. Users can make their devices available for downloading and installing preview software. + - **1**. Users can make their devices available for downloading and installing preview software. - - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. + - **2**. (default) Not configured. Users can make their devices available for download and installing preview software. ### 8. Internet Explorer @@ -475,7 +548,7 @@ You can turn this off by: - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Internet Explorer** > **Security Features** > **Add-on Management** > **Turn off Automatic download of the ActiveX VersionList** - -or - + -or - - Changing the REG\_DWORD registry setting **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Internet Explorer\\VersionManager\\DownloadVersionList** to 0 (zero). @@ -485,11 +558,11 @@ For more info, see [Out-of-date ActiveX control blocking](https://technet.micros To turn off Live Tiles: -- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** +- Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn Off notifications network usage** - -or- + -or- -- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one). In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. @@ -497,31 +570,31 @@ In Windows 10 Mobile, you must also unpin all tiles that are pinned to Start. To turn off mail synchronization for Microsoft Accounts that are configured on a device: -- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. +- In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts. - -or- + -or- -- Remove any Microsoft Accounts from the Mail app. +- Remove any Microsoft Accounts from the Mail app. - -or- + -or- -- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. +- Apply the Accounts/AllowMicrosoftAccountConnection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. This does not apply to Microsoft Accounts that have already been configured on the device. To turn off the Windows Mail app: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Mail** > **Turn off Windows Mail application** - -or- + -or- -- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **ManualLaunchAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Mail** with a value of 0 (zero). ### 11. Microsoft Account To prevent communication to the Microsoft Account cloud authentication service. Many apps and system components that depend on Microsoft Account authentication may lose functionality. Some of them could be in unexpected ways. -- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. +- Apply the Group Policy: **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** > **Accounts: Block Microsoft Accounts** and set it to **Users can't add Microsoft accounts**. - -or- + -or- - Create a REG\_DWORD registry setting named **NoConnectedUser** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System** with a value of 3. To disable the Microsoft Account Sign-In Assistant: @@ -547,7 +620,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
      Default: Disabled | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
      Default: Enabled | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
      Default: Enabled | -| Configure Windows Defender SmartScreen Filter (Windows 10, version 1703)
      Configure SmartScreen Filter (Windows Server 2016) | Choose whether Windows Defender SmartScreen is turned on or off.
      Default: Enabled | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
      Default: Enabled | | Allow web content on New Tab page | Choose whether a new tab page appears.
      Default: Enabled | | Configure Start pages | Choose the Start page for domain-joined devices.
      Set this to **\** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
      Default: Disabled | @@ -606,48 +679,48 @@ In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2 You can turn off NCSI by doing one of the following: -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests** -- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy. +- In Windows 10, version 1703 and later, apply the Connectivity/DisallowNetworkConnectivityActiveTests MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-connectivity#connectivity-disallownetworkconnectivityactivetests) with a value of 1. > [!NOTE] > After you apply this policy, you must restart the device for the policy setting to take effect. -or- -- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **NoActiveProbe** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\NetworkConnectivityStatusIndicator** with a value of 1 (one). ### 14. Offline maps You can turn off the ability to download and update offline maps. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data** - -or- + -or- -- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AutoDownloadAndUpdateMapData** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). - -and- + -and- - In Windows 10, version 1607 and later, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off unsolicited network traffic on the Offline Maps settings page** - -or- + -or- -- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AllowUntriggeredNetworkTrafficOnSettingsPage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Maps** with a value of 0 (zero). ### 15. OneDrive To turn off OneDrive in your organization: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage** - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableFileSyncNGSC** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\OneDrive** with a value of 1 (one). - -and- + -and- -- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **PreventNetworkTrafficPreUserSignIn** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\OneDrive** with a value of 1 (one). ### 16. Preinstalled apps @@ -655,117 +728,117 @@ Some preinstalled apps get content before they are opened to ensure a great expe To remove the News app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingNews | Remove-AppxPackage** To remove the Weather app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingWeather"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingWeather | Remove-AppxPackage** To remove the Money app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingFinance"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingFinance | Remove-AppxPackage** To remove the Sports app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingSports"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.BingSports | Remove-AppxPackage** To remove the Twitter app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "\*.Twitter"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage \*.Twitter | Remove-AppxPackage** To remove the XBOX app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.XboxApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.XboxApp | Remove-AppxPackage** To remove the Sway app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.Sway"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.Sway | Remove-AppxPackage** To remove the OneNote app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.Office.OneNote"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.Office.OneNote | Remove-AppxPackage** To remove the Get Office app: -- Right-click the app in Start, and then click **Uninstall**. +- Right-click the app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftOfficeHub"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftOfficeHub | Remove-AppxPackage** To remove the Get Skype app: -- Right-click the Sports app in Start, and then click **Uninstall**. +- Right-click the Sports app in Start, and then click **Uninstall**. - -or- + -or- -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.SkypeApp"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.SkypeApp | Remove-AppxPackage** To remove the Sticky notes app: -- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** +- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.MicrosoftStickyNotes"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}** - -and- + -and- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** @@ -773,43 +846,43 @@ To remove the Sticky notes app: Use Settings > Privacy to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. -- [17.1 General](#bkmk-general) +- [17.1 General](#bkmk-general) -- [17.2 Location](#bkmk-priv-location) +- [17.2 Location](#bkmk-priv-location) -- [17.3 Camera](#bkmk-priv-camera) +- [17.3 Camera](#bkmk-priv-camera) -- [17.4 Microphone](#bkmk-priv-microphone) +- [17.4 Microphone](#bkmk-priv-microphone) -- [17.5 Notifications](#bkmk-priv-notifications) +- [17.5 Notifications](#bkmk-priv-notifications) -- [17.6 Speech, inking, & typing](#bkmk-priv-speech) +- [17.6 Speech, inking, & typing](#bkmk-priv-speech) -- [17.7 Account info](#bkmk-priv-accounts) +- [17.7 Account info](#bkmk-priv-accounts) -- [17.8 Contacts](#bkmk-priv-contacts) +- [17.8 Contacts](#bkmk-priv-contacts) -- [17.9 Calendar](#bkmk-priv-calendar) +- [17.9 Calendar](#bkmk-priv-calendar) -- [17.10 Call history](#bkmk-priv-callhistory) +- [17.10 Call history](#bkmk-priv-callhistory) -- [17.11 Email](#bkmk-priv-email) +- [17.11 Email](#bkmk-priv-email) -- [17.12 Messaging](#bkmk-priv-messaging) +- [17.12 Messaging](#bkmk-priv-messaging) -- [17.13 Radios](#bkmk-priv-radios) +- [17.13 Radios](#bkmk-priv-radios) -- [17.14 Other devices](#bkmk-priv-other-devices) +- [17.14 Other devices](#bkmk-priv-other-devices) -- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) +- [17.15 Feedback & diagnostics](#bkmk-priv-feedback) -- [17.16 Background apps](#bkmk-priv-background) +- [17.16 Background apps](#bkmk-priv-background) -- [17.17 Motion](#bkmk-priv-motion) +- [17.17 Motion](#bkmk-priv-motion) -- [17.18 Tasks](#bkmk-priv-tasks) +- [17.18 Tasks](#bkmk-priv-tasks) -- [17.19 App Diagnostics](#bkmk-priv-diag) +- [17.19 App Diagnostics](#bkmk-priv-diag) ### 17.1 General @@ -822,33 +895,33 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba > [!NOTE] > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - -or- + -or- -- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). - -or- + -or- -- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Let websites provide locally relevant content by accessing my language list**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let Windows track app launches to improve Start and search results**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- - Create a REG_DWORD registry setting named **Start_TrackProgs** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced** with value of 0 (zero). @@ -859,51 +932,33 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin > [!NOTE] > When you turn this feature off in the UI, it turns off the advertising ID, not just resets it. -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**. - -or- + -or- -- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **Enabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AdvertisingInfo** with a value of 0 (zero). - -or- + -or- -- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). To turn off **Turn on SmartScreen Filter to check web content (URLs) that Microsoft Store apps use**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure SmartScreen Filter**. - In Windows 10, version 1703, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge** > **Configure Windows Defender SmartScreen Filter**. +- Create a provisioning package, using: + - For Internet Explorer: **Runtime settings > Policies > Browser > AllowSmartScreen** + - For Microsoft Edge: **Runtime settings > Policies > MicrosoftEdge > AllowSmartScreen** - In Windows Server 2016, apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows SmartScreen**. - In Windows 10, version 1703 , apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Configure Windows Defender SmartScreen**. + -or- - -or- - -- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. - - -or- - -- Create a provisioning package, using: - - - For Internet Explorer: **Runtime settings** > **Policies** > **Browser** > **AllowSmartScreen** - - - For Microsoft Edge: **Runtime settings** > **Policies** > **MicrosoftEdge** > **AllowSmartScreen** - - -or- - -- Create a REG\_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\AppHost** with a value of 0 (zero). - - -or- - -- Create a REG\_DWORD registry setting named **EnableSmartScreen** in **HKEY\_LOCAL\_MACHINE\\Sofware\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG_DWORD registry setting named **EnableWebContentEvaluation** in **HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost** with a value of 0 (zero). To turn off **Send Microsoft info about how I write to help us improve typing and writing in the future**: @@ -912,35 +967,35 @@ To turn off **Send Microsoft info about how I write to help us improve typing an -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: +- Apply the TextInput/AllowLinguisticDataCollection MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where: - - **0**. Not allowed + - **0**. Not allowed - - **1**. Allowed (default) + - **1**. Allowed (default) To turn off **Let websites provide locally relevant content by accessing my language list**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. +- Create a new REG\_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY\_CURRENT\_USER\\Control Panel\\International\\User Profile** with a value of 1. To turn off **Let apps on my other devices open apps and continue experiences on this devices**: - Turn off the feature in the UI. - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**. - -or- + -or- -- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **EnableCdp** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\System** with a value of 0 (zero). To turn off **Let apps on my other devices use Bluetooth to open apps and continue experiences on this device**: @@ -952,58 +1007,58 @@ In the **Location** area, you choose whether devices have access to location-spe To turn off **Location for this device**: -- Click the **Change** button in the UI. +- Click the **Change** button in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). - -or- + -or- -- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the System/AllowLocation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Turned off and the employee can't turn it back on. + - **0**. Turned off and the employee can't turn it back on. - - **1**. Turned on, but lets the employee choose whether to use it. (default) + - **1**. Turned on, but lets the employee choose whether to use it. (default) - - **2**. Turned on and the employee can't turn it off. + - **2**. Turned on and the employee can't turn it off. > [!NOTE] > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowLocation**, where - - **No**. Turns off location service. + - **No**. Turns off location service. - - **Yes**. Turns on location service. (default) + - **Yes**. Turns on location service. (default) To turn off **Location**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). - -or- + -or- To turn off **Location history**: -- Erase the history using the **Clear** button in the UI. +- Erase the history using the **Clear** button in the UI. To turn off **Choose apps that can use your location**: -- Turn off each app using the UI. +- Turn off each app using the UI. ### 17.3 Camera @@ -1011,40 +1066,40 @@ In the **Camera** area, you can choose which apps can access a device's camera. To turn off **Let apps use my camera**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). - -or- + -or- -- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the Camera/AllowCamera MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Apps can't use the camera. + - **0**. Apps can't use the camera. - - **1**. Apps can use the camera. + - **1**. Apps can use the camera. > [!NOTE] > You can also set this MDM policy in System Center Configuration Manager using the [WMI Bridge Provider](https://msdn.microsoft.com/library/dn905224.aspx). - -or- + -or- -- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: +- Create a provisioning package with use Windows ICD, using **Runtime settings** > **Policies** > **Camera** > **AllowCamera**, where: - - **0**. Apps can't use the camera. + - **0**. Apps can't use the camera. - - **1**. Apps can use the camera. + - **1**. Apps can use the camera. To turn off **Choose apps that can use your camera**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.4 Microphone @@ -1052,29 +1107,29 @@ In the **Microphone** area, you can choose which apps can access a device's micr To turn off **Let apps use my microphone**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where: +- Apply the Privacy/LetAppsAccessMicrophone MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmicrophone), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) To turn off **Choose apps that can use your microphone**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.5 Notifications @@ -1083,45 +1138,45 @@ To turn off **Choose apps that can use your microphone**: To turn off notifications network usage: -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Start Menu and Taskbar** > **Notifications** > **Turn off Notifications network usage** - - Set to **Enabled**. + - Set to **Enabled**. - -or- + -or- -- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) +- Create a REG\_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a value of 1 (one) - -or- + -or- -- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: +- Apply the Notifications/DisallowCloudNotification MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-notifications#notifications-disallowcloudnotification), where: - - **0**. WNS notifications allowed - - **1**. No WNS notifications allowed + - **0**. WNS notifications allowed + - **1**. No WNS notifications allowed In the **Notifications** area, you can also choose which apps have access to notifications. To turn off **Let apps access my notifications**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access notifications** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: +- Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) +- Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two) ### 17.6 Speech, inking, & typing @@ -1132,19 +1187,19 @@ In the **Speech, Inking, & Typing** area, you can let Windows and Cortana better To turn off the functionality: -- Click the **Stop getting to know me** button, and then click **Turn off**. +- Click the **Stop getting to know me** button, and then click **Turn off**. - -or- + -or- -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Regional and Language Options** > **Handwriting personalization** > **Turn off automatic learning** - -or- + -or- -- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one). - -or- + -or- -- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero). -and- @@ -1158,10 +1213,10 @@ If you're running at least Windows 10, version 1607, you can turn off updates to Apply the Speech/AllowSpeechModelUpdate MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962(v=vs.85).aspx#Speech_AllowSpeechModelUpdate), where: -- **0** (default). Not allowed. -- **1**. Allowed. +- **0** (default). Not allowed. +- **1**. Allowed. - -or- + -or- - Create a REG\_DWORD registry setting named **ModelDownloadAllowed** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Preferences** with a value of 0 (zero). @@ -1171,29 +1226,29 @@ In the **Account Info** area, you can choose which apps can access your name, pi To turn off **Let apps access my name, picture, and other account info**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where: +- Apply the Privacy/LetAppsAccessAccountInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessaccountinfo), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessAccountInfo** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose the apps that can access your account info**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.8 Contacts @@ -1201,23 +1256,23 @@ In the **Contacts** area, you can choose which apps can access an employee's con To turn off **Choose apps that can access contacts**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: +- Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). @@ -1227,29 +1282,29 @@ In the **Calendar** area, you can choose which apps have access to an employee's To turn off **Let apps access my calendar**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where: +- Apply the Privacy/LetAppsAccessCalendar MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscalendar), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can access calendar**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.10 Call history @@ -1257,25 +1312,25 @@ In the **Call history** area, you can choose which apps have access to an employ To turn off **Let apps access my call history**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where: + - Apply the Privacy/LetAppsAccessCallHistory MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscallhistory), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.11 Email @@ -1283,25 +1338,25 @@ In the **Email** area, you can choose which apps have can access and send email. To turn off **Let apps access and send email**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- - - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where: + - Apply the Privacy/LetAppsAccessEmail MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessemail), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.12 Messaging @@ -1309,29 +1364,29 @@ In the **Messaging** area, you can choose which apps can read or send messages. To turn off **Let apps read or send messages (text or MMS)**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where: +- Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can read or send messages**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.13 Phone calls @@ -1339,30 +1394,30 @@ In the **Phone calls** area, you can choose which apps can make phone calls. To turn off **Let apps make phone calls**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: +- Apply the Privacy/LetAppsAccessPhone MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessphone), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can make phone calls**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.14 Radios @@ -1370,30 +1425,30 @@ In the **Radios** area, you can choose which apps can turn a device's radio on o To turn off **Let apps control radios**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where: +- Apply the Privacy/LetAppsAccessRadios MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessradios), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Choose apps that can control radios**: -- Turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. ### 17.15 Other devices @@ -1401,44 +1456,42 @@ In the **Other Devices** area, you can choose whether devices that aren't paired To turn off **Let apps automatically share and sync info with wireless devices that don't explicitly pair with your PC, tablet, or phone**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps sync with devices** - -or- + -or- -- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where: +- Apply the Privacy/LetAppsSyncWithDevices MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappssyncwithdevices), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny + -or- - -or- - -- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** - - Set the **Select a setting** box to **Force Deny**. +- Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices +- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices ), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny - + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 17.16 Feedback & diagnostics @@ -1451,23 +1504,23 @@ To change how frequently **Windows should ask for my feedback**: -- To change from **Automatically (Recommended)**, use the drop-down list in the UI. +- To change from **Automatically (Recommended)**, use the drop-down list in the UI. - -or- + -or- -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications** - -or- + -or- -- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one). - -or- + -or- -- Create the registry keys (REG\_DWORD type): +- Create the registry keys (REG\_DWORD type): - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\PeriodInNanoSeconds - - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod + - HKEY\_CURRENT\_USER\\Software\\Microsoft\\Siuf\\Rules\\NumberOfSIUFInPeriod Based on these settings: @@ -1482,48 +1535,48 @@ To change how frequently **Windows should ask for my feedback**: To change the level of diagnostic and usage data sent when you **Send your device data to Microsoft**: -- Click either the **Basic** or **Full** options. +- Click either the **Basic** or **Full** options. - -or- + -or- -- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. +- Apply the Group Policy: **Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection And Preview Builds\\Allow Telemetry** and select the appropriate option for your deployment. - -or- + -or- -- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). +- Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection\\AllowTelemetry** with a value of 0-3, as appropriate for your deployment (see below for the values for each level). > [!NOTE] > If the **Security** option is configured by using Group Policy or the Registry, the value will not be reflected in the UI. The **Security** option is only available in Windows 10 Enterprise edition. - -or- + -or- -- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: +- Apply the System/AllowTelemetry MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx), where: - - **0**. Maps to the **Security** level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the **Basic** level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the **Enhanced** level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the **Full** level. + - **3**. Maps to the **Full** level. - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: +- Create a provisioning package, using **Runtime settings** > **Policies** > **System** > **AllowTelemetry**, where: - - **0**. Maps to the **Security** level. + - **0**. Maps to the **Security** level. - - **1**. Maps to the **Basic** level. + - **1**. Maps to the **Basic** level. - - **2**. Maps to the **Enhanced** level. + - **2**. Maps to the **Enhanced** level. - - **3**. Maps to the **Full** level. + - **3**. Maps to the **Full** level. To turn off tailored experiences with relevant tips and recommendations by using your diagnostics data: - Turn off the feature in the UI. - -or- + -or- - Apply the Group Policy: **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences** @@ -1533,25 +1586,25 @@ In the **Background Apps** area, you can choose which apps can run in the backgr To turn off **Let apps run in the background**: -- In **Background apps**, set **Let apps run in the background** to **Off**. +- In **Background apps**, set **Let apps run in the background** to **Off**. - -or- + -or- -- In **Background apps**, turn off the feature for each app. +- In **Background apps**, turn off the feature for each app. - -or- + -or- -- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** +- Apply the Group Policy (only applicable for Windows 10, version 1703): **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps run in the background** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where: +- Apply the Privacy/LetAppsRunInBackground MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessruninbackground), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny > [!NOTE] > Some apps, including Cortana and Search, might not function as expected if you set **Let apps run in the background** to **Force Deny**. @@ -1562,23 +1615,23 @@ In the **Motion** area, you can choose which apps have access to your motion dat To turn off **Let Windows and your apps use your motion data and collect motion history**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access motion** - -or- + -or- -- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where: +- Apply the Privacy/LetAppsAccessMotion MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmotion), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny - -or- + -or- -- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). +- Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two). ### 17.19 Tasks @@ -1586,21 +1639,21 @@ In the **Tasks** area, you can choose which apps have access to your tasks. To turn this off: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access Tasks** - - Set the **Select a setting** box to **Force Deny**. + - Set the **Select a setting** box to **Force Deny**. - -or- + -or- -- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where: +- Apply the Privacy/LetAppsAccessTasks MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesstasks), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 17.20 App Diagnostics @@ -1608,19 +1661,19 @@ In the **App diagnostics** area, you can choose which apps have access to your d To turn this off: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps** - -or- + -or- -- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where: +- Apply the Privacy/LetAppsGetDiagnosticInfo MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsgetdiagnosticinfo), where: - - **0**. User in control - - **1**. Force allow - - **2**. Force deny + - **0**. User in control + - **1**. Force allow + - **2**. Force deny ### 18. Software Protection Platform @@ -1631,11 +1684,11 @@ For Windows 10: - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- + -or- -- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. +- Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled. - -or- + -or- - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). @@ -1643,7 +1696,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** - -or- + -or- - Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). @@ -1661,31 +1714,31 @@ For Windows 10: You can control if your settings are synchronized: -- In the UI: **Settings** > **Accounts** > **Sync your settings** +- In the UI: **Settings** > **Accounts** > **Sync your settings** - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync** - -or- + -or- -- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). +- Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one). - -or- + -or- -- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. +- Apply the Experience/AllowSyncMySettings MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is not allowed and 1 is allowed. - -or- + -or- -- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where +- Create a provisioning package, using **Runtime settings** > **Policies** > **Experience** > **AllowSyncMySettings**, where - - **No**. Settings are not synchronized. + - **No**. Settings are not synchronized. - - **Yes**. Settings are synchronized. (default) + - **Yes**. Settings are synchronized. (default) To turn off Messaging cloud sync: -- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). +- Create a REG\_DWORD registry setting named **CloudServiceSyncEnabled** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Messaging** with a value of 0 (zero). ### 21. Teredo @@ -1694,15 +1747,15 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command. >[!NOTE] >If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work. -- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. +- Enable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. - -or- + -or- -- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. +- Create a new REG\_SZ registry setting named **Teredo_State** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\TCPIP\\v6Transition** with a value of **Disabled**. - -or- + -or- -- From an elevated command prompt, run **netsh interface teredo set state disabled** +- From an elevated command prompt, run **netsh interface teredo set state disabled** ### 22. Wi-Fi Sense @@ -1713,23 +1766,23 @@ Wi-Fi Sense automatically connects devices to known hotspots and to the wireless To turn off **Connect to suggested open hotspots** and **Connect to networks shared by my contacts**: -- Turn off the feature in the UI. +- Turn off the feature in the UI. - -or- + -or- -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - -or- + -or- -- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). +- Create a new REG\_DWORD registry setting named **AutoConnectAllowedOEM** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\WcmSvc\\wifinetworkmanager\\config** with a value of 0 (zero). - -or- + -or- -- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). +- Change the Windows Provisioning setting, WiFISenseAllowed, to 0 (zero). For more info, see the Windows Provisioning Settings reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620909). - -or- + -or- -- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). +- Use the Unattended settings to set the value of WiFiSenseAllowed to 0 (zero). For more info, see the Unattended Windows Setup reference doc, [WiFiSenseAllowed](https://go.microsoft.com/fwlink/p/?LinkId=620910). When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. @@ -1737,55 +1790,55 @@ When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings scr You can disconnect from the Microsoft Antimalware Protection Service. -- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** +- Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** - -or- + -or- -- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. +- Delete the registry setting **named** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates**. - -or- + -or- -- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). +- For Windows 10 only, apply the Defender/AllowClouldProtection MDM policy from the [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). - -or- + -or- -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SpyNetReporting** to 0 (zero). - -and- + -and- From an elevated Windows PowerShell prompt, run **set-mppreference -Mapsreporting 0** You can stop sending file samples back to Microsoft. -- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. +- Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Always Prompt** or **Never Send**. - -or- + -or- -- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: +- For Windows 10 only, apply the Defender/SubmitSamplesConsent MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender), where: - - **0**. Always prompt. + - **0**. Always prompt. - - **1**. (default) Send safe samples automatically. + - **1**. (default) Send safe samples automatically. - - **2**. Never send. + - **2**. Never send. - - **3**. Send all samples automatically. + - **3**. Send all samples automatically. - -or- + -or- -- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. +- Use the registry to set the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows Defender\\Spynet\\SubmitSamplesConsent** to 0 (zero) to always prompt or 2 to never send. You can stop downloading definition updates: -- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. +- Enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - -and- + -and- -- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. +- Disable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **Signature Updates** > **Define file shares for downloading definition updates** and set it to nothing. - -or- + -or- -- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. +- Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**. For Windows 10 only, you can stop Enhanced Notifications: @@ -1793,19 +1846,49 @@ For Windows 10 only, you can stop Enhanced Notifications: You can also use the registry to turn off Malicious Software Reporting Tool diagnostic data by setting the REG\_DWORD value **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\MRT\\DontReportInfectionInformation** to 1. +### 23.1 Windows Defender SmartScreen + +To disable Windows Defender Smartscreen: + +- In Group Policy, configure - **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** + + -and- + +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable** + + -or- + +- Create a REG_DWORD registry setting named **EnableSmartScreen** in **HKEY_LOCAL_MACHINE\Sofware\Policies\Microsoft\Windows\System** with a value of 0 (zero). + + -and- + +- Create a REG_DWORD registry setting named **ConfigureAppInstallControlEnabled** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of 1. + + -and- + +- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen** with a value of **Anywhere**. + + -or- + +- Apply the Browser/AllowSmartScreen MDM policy from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is turned off and 1 is turned on. + ### 24. Windows Media Player To remove Windows Media Player on Windows 10: -- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. +- From the **Programs and Features** control panel, click **Turn Windows features on or off**, under **Media Features**, clear the **Windows Media Player** check box, and then click **OK**. - -or- + -or- -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** To remove Windows Media Player on Windows Server 2016: -- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** +- Run the following DISM command from an elevated command prompt: **dism /online /Disable-Feature /FeatureName:WindowsMediaPlayer** ### 25. Windows Spotlight @@ -1818,51 +1901,51 @@ If you're running Windows 10, version 1607 or later, you only need to enable the > [!NOTE] > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting. - -or- + -or- -- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). +- For Windows 10 only, apply the Experience/AllowWindowsSpotlight MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience), with a value of 0 (zero). - -or- + -or- -- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). +- Create a new REG\_DWORD registry setting named **DisableWindowsSpotlightFeatures** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). If you're not running Windows 10, version 1607 or later, you can use the other options in this section. -- Configure the following in **Settings**: +- Configure the following in **Settings**: - - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. + - **Personalization** > **Lock screen** > **Background** > **Windows spotlight**, select a different background, and turn off **Get fun facts, tips, tricks and more on your lock screen**. > [!NOTE] > In Windows 10, version 1507 and Windows 10, version 1511, this setting was named **Show me tips, tricks, and more on the lock screen**. - - **Personalization** > **Start** > **Occasionally show suggestions in Start**. + - **Personalization** > **Start** > **Occasionally show suggestions in Start**. - - **System** > **Notifications & actions** > **Show me tips about Windows**. + - **System** > **Notifications & actions** > **Show me tips about Windows**. - -or- + -or- -- Apply the Group Policies: +- Apply the Group Policies: - - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. - - Add a location in the **Path to local lock screen image** box. + - **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Force a specific default lock screen image**. + - Add a location in the **Path to local lock screen image** box. - - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. + - Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box. - > [!NOTE] - > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). + > [!NOTE] + > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Personalization** > **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one). - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableSoftLanding** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). - - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. + - **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableWindowsConsumerFeatures** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a value of 1 (one). For more info, see [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight). @@ -1873,17 +1956,17 @@ This will also turn off automatic app updates, and the Microsoft Store will be d In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps. -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). + - Create a new REG\_DWORD registry setting named **DisableStoreApps** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 1 (one). -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**. - -or- + -or- - - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). + - Create a new REG\_DWORD registry setting named **AutoDownload** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsStore** with a value of 2 (two). ### 26.1 Apps for websites @@ -1905,7 +1988,7 @@ In Windows 10, version 1607, you can stop network traffic related to Windows Upd You can set up Delivery Optimization from the **Settings** UI. -- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. +- Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. ### 27.2 Delivery Optimization Group Policies @@ -1954,47 +2037,47 @@ For more info about Delivery Optimization in general, see [Windows Update Delive You can turn off Windows Update by setting the following registry entries: -- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DoNotConnectToWindowsUpdateInternetLocations** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -and- + -and- -- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. +- Add a REG\_DWORD value named **DisableWindowsUpdateAccess** to **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate** and set the value to 1. - -and- + -and- -- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. +- Add a REG\_DWORD value named **UseWUServer** to **HKEY\_LOCAL\_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU** and set the value to 1. - -or- + -or- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations**. - -and- + -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features**. - -and- + -and- -- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ". +- Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** and set the **Set the alternate download server** to " ". You can turn off automatic updates by doing one of the following. This is not recommended. -- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. +- Add a REG\_DWORD value named **AutoDownload** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\WindowsStore\\WindowsUpdate** and set the value to 5. - -or- + -or- -- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update), where: +- For Windows 10 only, apply the Update/AllowAutoUpdate MDM policy from the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update), where: - - **0**. Notify the user before downloading the update. + - **0**. Notify the user before downloading the update. - - **1**. Auto install the update and then notify the user to schedule a device restart. + - **1**. Auto install the update and then notify the user to schedule a device restart. - - **2** (default). Auto install and restart. + - **2** (default). Auto install and restart. - - **3**. Auto install and restart at a specified time. + - **3**. Auto install and restart at a specified time. - - **4**. Auto install and restart without end-user control. + - **4**. Auto install and restart without end-user control. - - **5**. Turn off automatic updates. + - **5**. Turn off automatic updates. To learn more, see [Device update management](https://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](https://technet.microsoft.com/library/cc720539.aspx). diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md new file mode 100644 index 0000000000..2e754c9ad3 --- /dev/null +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -0,0 +1,489 @@ +--- +title: Connection endpoints for Windows 10, version 1709 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1709 + +**Applies to** + +- Windows 10, version 1709 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
      backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | + + + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 versions and editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/manage-windows-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md similarity index 67% rename from windows/privacy/manage-windows-endpoints.md rename to windows/privacy/manage-windows-1803-endpoints.md index 721814aabe..f508978478 100644 --- a/windows/privacy/manage-windows-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -1,5 +1,5 @@ --- -title: Windows 10 connection endpoints +title: Connection endpoints for Windows 10, version 1803 description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 ms.prod: w10 @@ -10,11 +10,11 @@ author: danihalfin ms.author: daniha ms.date: 6/26/2018 --- -# Manage Windows 10 connection endpoints +# Manage connection endpoints for Windows 10, version 1803 **Applies to** -- Windows 10, version 1709 and later +- Windows 10, version 1803 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: @@ -34,7 +34,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -46,252 +47,248 @@ We used the following methodology to derive these network endpoints: The following endpoint is used to download updates to the Weather app Live Tile. If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| explorer | HTTP | tile-service.weather.microsoft.com | 1709 | -| | HTTP | blob.weather.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | The following endpoints are used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | wildcard.twimg.com | 1709 | -| svchost.exe | | oem.twimg.com/windows/tile.xml | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | The following endpoint is used for Facebook updates. To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | star-mini.c10r.facebook.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | TLS v1.2 | candycrushsoda.king.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | The following endpoint is used for by the Microsoft Wallet app. To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | The following endpoint is used by the Groove Music app for update HTTP handler status. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | ## Cortana and Search The following endpoint is used to get images that are used for Microsoft Store suggestions. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui | HTTPS |store-images.s-microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | The following endpoint is used to update Cortana greetings, tips, and Live Tiles. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/client | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | www.bing.com/proactive | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | The following endpoint is used by Cortana to report diagnostic and diagnostic data information. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| searchui
      backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
      backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | ## Certificates -The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | - -The following endpoints are used to download certificates that are publicly known to be fraudulent. +Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | ctldl.windowsupdate.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | ## Device authentication The following endpoint is used to authenticate a device. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | login.live.com/ppsecure | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | ## Device metadata The following endpoint is used to retrieve device metadata. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | dmd.metaservices.microsoft.com.akadns.net | 1709 | -| | HTTP | dmd.metaservices.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | ## Diagnostic Data The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | cy2.vortex.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 | The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| wermgr | | watson.telemetry.microsoft.com | 1709 | -| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | ## Font streaming The following endpoints are used to download fonts on demand. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | fs.microsoft.com | 1709 | -| | | fs.microsoft.com/fs/windows/config.json | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | ## Licensing The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | ## Location The following endpoint is used for location data. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | location-inference-westus.cloudapp.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | ## Maps The following endpoint is used to check for updates to maps that have been downloaded for offline use. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *g.akamaiedge.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | ## Microsoft account The following endpoints are used for Microsoft accounts to sign in. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | login.msa.akadns6.net | 1709 | -| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | ## Microsoft Store The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.wns.windows.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.wns.windows.com | The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storecatalogrevocation.storequality.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | 1709 | -| backgroundtransferhost | HTTPS | store-images.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | The following endpoints are used to communicate with Microsoft Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | storeedgefd.dsx.mp.microsoft.com | 1709 | -| | HTTP | pti.store.microsoft.com | 1709 | -||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| 1709 | -| svchost | HTTPS | displaycatalog.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | ## Network Connection Status Indicator (NCSI) Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | www.msftconnecttest.com/connecttest.txt | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | ## Office @@ -299,74 +296,74 @@ The following endpoints are used to connect to the Office 365 portal's shared in You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | *.a-msedge.net | 1709 | -| hxstr | | *.c-msedge.net | 1709 | -| | | *.e-msedge.net | 1709 | -| | | *.s-msedge.net | 1709 | -| | HTTPS | ocos-office365-s2s.msedge.net | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| system32\Auth.Host.exe | HTTPS | outlook.office365.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| ## OneDrive The following endpoint is a redirection service that’s used to automatically update URLs. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| onedrive | HTTPS | oneclient.sfx.ms | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | ## Settings The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | | cy2.settings.data.microsoft.com.akadns.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| dmclient | HTTPS | settings.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | settings-win.data.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | ## Skype The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | @@ -375,102 +372,102 @@ The following endpoint is used to retrieve Skype configuration values. To turn o The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | wdcp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | The following endpoints are used for Windows Defender definition updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | definitionupdates.microsoft.com | 1709 | -|MpCmdRun.exe|HTTPS|go.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | ## Windows Spotlight The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| backgroundtaskhost | HTTPS | arc.msn.com | 1709 | -| backgroundtaskhost | | g.msn.com.nsatc.net | 1709 | -| |TLS v1.2| *.search.msn.com | 1709 | -| | HTTPS | ris.api.iris.microsoft.com | 1709 | -| | HTTPS | query.prod.cms.rt.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | ## Windows Update The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | The following endpoints are used to download operating system patches and updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTP | *.windowsupdate.com | 1709 | -| | HTTP | fg.download.windowsupdate.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | cds.d2s7q6s2.hwcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | HTTP | *wac.phicdn.net | 1709 | -| | | *wac.edgecastcdn.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | | emdl.ws.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | fe2.update.microsoft.com | 1709 | -| svchost | | fe3.delivery.mp.microsoft.com | 1709 | -| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | 1709 | -| svchost | HTTPS | sls.update.microsoft.com | 1709 | -| | HTTP | *.dl.delivery.mp.microsoft.com | 1803 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | The following endpoint is used for content regulation. If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | The following endpoints are used to download content. If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -| | | a122.dscd.akamai.net | 1709 | -| | | a1621.g.akamai.net | 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | ## Microsoft forward link redirection service (FWLink) @@ -478,12 +475,16 @@ The following endpoint is used by the Microsoft forward link redirection service If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. -| Source process | Protocol | Destination | Applies from Windows 10 version | -|----------------|----------|------------|----------------------------------| -|Various|HTTPS|go.microsoft.com| 1709 | +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| ## Other Windows 10 editions +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md) + To view endpoints for non-Enterprise Windows 10 editions, see: - [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) - [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md new file mode 100644 index 0000000000..54dc118d49 --- /dev/null +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -0,0 +1,525 @@ +--- +title: Connection endpoints for Windows 10, version 1803 +description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Manage connection endpoints for Windows 10, version 1809 + +**Applies to** + +- Windows 10, version 1809 + +Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: + +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. + +This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. +Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). +Where applicable, each endpoint covered in this topic includes a link to specific details about how to control traffic to it. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Enterprise connection endpoints + +## Apps + +The following endpoint is used to download updates to the Weather app Live Tile. +If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| explorer | HTTP | tile-service.weather.microsoft.com | +| | HTTP | blob.weather.microsoft.com | + +The following endpoint is used for OneNote Live Tile. +To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | cdn.onenote.net/livetile/?Language=en-US | + +The following endpoints are used for Twitter updates. +To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wildcard.twimg.com | +| svchost.exe | | oem.twimg.com/windows/tile.xml | + +The following endpoint is used for Facebook updates. +To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | star-mini.c10r.facebook.com | + +The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. +To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net | + +The following endpoint is used for Candy Crush Saga updates. +To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | TLS v1.2 | candycrushsoda.king.com | + +The following endpoint is used for by the Microsoft Wallet app. +To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). +If you disable the Microsoft store, other Store apps cannot be installed or updated. +Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com | + +The following endpoint is used by the Groove Music app for update HTTP handler status. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and won't be able to directly launch the app. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com | + +The following endpoints are used when using the Whiteboard app. +To turn off traffic for this endpoint [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | wbd.ms | +| | HTTPS | int.whiteboard.microsoft.com | +| | HTTPS | whiteboard.microsoft.com | +| | HTTP / HTTPS | whiteboard.ms | + +## Cortana and Search + +The following endpoint is used to get images that are used for Microsoft Store suggestions. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block images that are used for Microsoft Store suggestions. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui | HTTPS |store-images.s-microsoft.com | + +The following endpoint is used to update Cortana greetings, tips, and Live Tiles. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you will block updates to Cortana greetings, tips, and Live Tiles. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/client | + +The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters would not be updated and the device would no longer participate in experiments. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | www.bing.com/proactive | + +The following endpoint is used by Cortana to report diagnostic and diagnostic data information. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and won't be able to fix them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| searchui
      backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx | + +## Certificates + +The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. + +Additionally, it is used to download certificates that are publicly known to be fraudulent. +These settings are critical for both Windows security and the overall security of the Internet. +We do not recommend blocking this endpoint. +If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | ctldl.windowsupdate.com | + +## Device authentication + +The following endpoint is used to authenticate a device. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | login.live.com/ppsecure | + +## Device metadata + +The following endpoint is used to retrieve device metadata. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | dmd.metaservices.microsoft.com.akadns.net | +| | HTTP | dmd.metaservices.microsoft.com | + +## Diagnostic Data + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | cy2.vortex.data.microsoft.com.akadns.net | + +The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | v10.vortex-win.data.microsoft.com/collect/v1 | + +The following endpoints are used by Windows Error Reporting. +To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| wermgr | | watson.telemetry.microsoft.com | +| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net | + +## Font streaming + +The following endpoints are used to download fonts on demand. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | fs.microsoft.com | +| | | fs.microsoft.com/fs/windows/config.json | + +## Licensing + +The following endpoint is used for online activation and some app licensing. +To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content | + +## Location + +The following endpoint is used for location data. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | location-inference-westus.cloudapp.net | +| | HTTPS | inference.location.live.net | + +## Maps + +The following endpoint is used to check for updates to maps that have been downloaded for offline use. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *g.akamaiedge.net | + +## Microsoft account + +The following endpoints are used for Microsoft accounts to sign in. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | login.msa.akadns6.net | +| system32\Auth.Host.exe | HTTPS | auth.gfx.ms | +| | | us.configsvc1.live.com.akadns.net | + +## Microsoft Store + +The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | *.wns.windows.com | + +The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storecatalogrevocation.storequality.microsoft.com | + +The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net | +| backgroundtransferhost | HTTPS | store-images.microsoft.com | + +The following endpoints are used to communicate with Microsoft Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | storeedgefd.dsx.mp.microsoft.com | +| | HTTP \ HTTPS | pti.store.microsoft.com | +||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.| +| svchost | HTTPS | displaycatalog.mp.microsoft.com | + +## Network Connection Status Indicator (NCSI) + +Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | www.msftconnecttest.com/connecttest.txt | + +## Office + +The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | *.a-msedge.net | +| hxstr | | *.c-msedge.net | +| | | *.e-msedge.net | +| | | *.s-msedge.net | +| | HTTPS | ocos-office365-s2s.msedge.net | +| | HTTPS | nexusrules.officeapps.live.com | +| | HTTPS | officeclient.microsoft.com | + +The following endpoint is used to connect to the Office 365 portal's shared infrastructure, including Office Online. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#BKMK_Portal-identity). +You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. +If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| system32\Auth.Host.exe | HTTPS | outlook.office365.com | + +The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net| + +The following endpoint is used to connect the Office To-Do app to it's cloud service. +To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| |HTTPS|to-do.microsoft.com| + +## OneDrive + +The following endpoint is a redirection service that’s used to automatically update URLs. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction | + +The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). +To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| onedrive | HTTPS | oneclient.sfx.ms | + +## Settings + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | | cy2.settings.data.microsoft.com.akadns.net | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| dmclient | HTTPS | settings.data.microsoft.com | + +The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | settings-win.data.microsoft.com | + +## Skype + +The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com | +| | HTTPS | browser.pipe.aria.microsoft.com | +| | | skypeecs-prod-usw-0-b.cloudapp.net | + +## Windows Defender + +The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | wdcp.microsoft.com | + +The following endpoints are used for Windows Defender definition updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | definitionupdates.microsoft.com | +|MpCmdRun.exe|HTTPS|go.microsoft.com | + +The following endpoints are used for Windows Defender Smartscreen reporting and notifications. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender-smartscreen), Smartscreen notifications will no appear. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTPS | ars.smartscreen.microsoft.com | +| | HTTPS | unitedstates.smartscreen-prod.microsoft.com | +| | | smartscreen-sn3p.smartscreen.microsoft.com | + +## Windows Spotlight + +The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight). + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| backgroundtaskhost | HTTPS | arc.msn.com | +| backgroundtaskhost | | g.msn.com.nsatc.net | +| |TLS v1.2| *.search.msn.com | +| | HTTPS | ris.api.iris.microsoft.com | +| | HTTPS | query.prod.cms.rt.microsoft.com | + +## Windows Update + +The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com | + +The following endpoints are used to download operating system patches and updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTP | *.windowsupdate.com | +| | HTTP | fg.download.windowsupdate.com.c.footprint.net | + +The following endpoint is used by the Highwinds Content Delivery Network to perform Windows updates. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | cds.d2s7q6s2.hwcdn.net | + +The following endpoints are used by the Verizon Content Delivery Network to perform Windows updates. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not perform updates. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | HTTP | *wac.phicdn.net | +| | | *wac.edgecastcdn.net | + +The following endpoint is used to download apps and Windows Insider Preview builds from the Microsoft Store. Time Limited URL (TLU) is a mechanism for protecting the content. For example, it prevents someone from copying the URL and then getting access to the app that the person has not acquired). +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the updating functionality on this device is essentially in a disabled state, resulting in user unable to get apps from the Store, get latest version of Windows, and so on. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | + +The following endpoint is used to download apps from the Microsoft Store. It's used as part of calculating the right ranges for apps. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), users of the device will not able to get apps from the Microsoft Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | | emdl.ws.microsoft.com | + +The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | fe2.update.microsoft.com | +| svchost | | fe3.delivery.mp.microsoft.com | +| | | fe3.delivery.dsp.mp.microsoft.com.nsatc.net | +| svchost | HTTPS | sls.update.microsoft.com | +| | HTTP | *.dl.delivery.mp.microsoft.com | + +The following endpoint is used for content regulation. +If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com | + +The following endpoints are used to download content. +If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), you will block any content from being downloaded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +| | | a122.dscd.akamai.net | +| | | a1621.g.akamai.net | + +## Microsoft forward link redirection service (FWLink) + +The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. + +If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded. + +| Source process | Protocol | Destination | +|----------------|----------|------------| +|Various|HTTPS|go.microsoft.com| + +## Other Windows 10 editions + +To view endpoints for other versions of Windows 10 enterprise, see: +- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md) +- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md) + +To view endpoints for non-Enterprise Windows 10 editions, see: +- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md) +- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md) + +## Related links + +- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US) +- [Network infrastructure requirements for Microsoft Intune](https://docs.microsoft.com/intune/get-started/network-infrastructure-requirements-for-microsoft-intune) \ No newline at end of file diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md index 1766427ef8..dd435f2d40 100644 --- a/windows/privacy/windows-diagnostic-data.md +++ b/windows/privacy/windows-diagnostic-data.md @@ -14,6 +14,7 @@ ms.date: 03/13/2018 # Windows 10, version 1709 and newer diagnostic data for the Full level Applies to: +- Windows 10, version 1809 - Windows 10, version 1803 - Windows 10, version 1709 @@ -24,17 +25,11 @@ In addition, this article provides references to equivalent definitions for the The data covered in this article is grouped into the following types: - Common data (diagnostic header information) - - Device, Connectivity, and Configuration data - - Product and Service Usage data - - Product and Service Performance data - - Software Setup and Inventory data - - Browsing History data - - Inking, Typing, and Speech Utterance data ## Common data @@ -44,9 +39,23 @@ Most diagnostic events contain a header of common data. In each example, the inf Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category. ### Data Description for Common data type -|Sub-type|Description and examples| -|- |- | -|Common Data|Information that is added to most diagnostic events, if relevant and available:
      • Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
      • Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
      • Event collection time (8.2.3.2.2 Telemetry data)
      • User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)
      • Xbox UserID (8.2.5 Account data)
      • Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
      • Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
      • Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
      • Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
      • HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
      • Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
      | + +#### Common data type + +Information that is added to most diagnostic events, if relevant and available: + +- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability) +- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data) +- Event collection time (8.2.3.2.2 Telemetry data) +- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data) +- Xbox UserID (8.2.5 Account data) +- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data) +- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data) +- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data) +- Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data) +- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data) +- Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data) + ## Device, Connectivity, and Configuration data This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data. @@ -59,15 +68,11 @@ This type of data includes details about the device, its configuration and conne - Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example: - Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues. - - Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues. - - Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices. - Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update. - - Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update. - - Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users. **With (optional) Tailored experiences:**
      @@ -78,13 +83,91 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud - Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.   ### Data Description for Device, Connectivity, and Configuration data type -|Sub-type|Description and examples| -|- |- | -|Device properties |Information about the operating system and device hardware, such as:
      • Operating system - version name, edition
      • Installation type, subscription status, and genuine operating system status
      • Processor architecture, speed, number of cores, manufacturer, and model
      • OEM details --manufacturer, model, and serial number
      • Device identifier and Xbox serial number
      • Firmware/BIOS operating system -- type, manufacturer, model, and version
      • Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
      • Storage -- total capacity and disk type
      • Battery -- charge capacity and InstantOn support
      • Hardware chassis type, color, and form factor
      • Is this a virtual machine?
      | -|Device capabilities|Information about the specific device capabilities, such as:
      • Camera -- whether the device has a front facing camera, a rear facing camera, or both.
      • Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
      • Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
      • Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
      • Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
      • Voice -- whether voice interaction is supported and the number of active microphones
      • Number of displays, resolutions, and DPI
      • Wireless capabilities
      • OEM or platform face detection
      • OEM or platform video stabilization and quality-level set
      • Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
      | -|Device preferences and settings |Information about the device settings and user preferences, such as:
      • User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
      • User-provided device name
      • Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
      • Hashed representation of the domain name
      • MDM (mobile device management) enrollment settings and status
      • BitLocker, Secure Boot, encryption settings, and status
      • Windows Update settings and status
      • Developer Unlock settings and status
      • Default app choices
      • Default browser choice
      • Default language settings for app, input, keyboard, speech, and display
      • App store update settings
      • Enterprise OrganizationID, Commercial ID
      | -|Device peripherals |Information about the device peripherals, such as:
      • Peripheral name, device model, class, manufacturer, and description
      • Peripheral device state, install state, and checksum
      • Driver name, package name, version, and manufacturer
      • HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
      • Driver state, problem code, and checksum
      • Whether driver is kernel mode, signed, and image size
      | -|Device network info |Information about the device network configuration, such as:
      • Network system capabilities
      • Local or Internet connectivity status
      • Proxy, gateway, DHCP, DNS details, and addresses
      • Whether it's a paid or free network
      • Whether the wireless driver is emulated
      • Whether it's access point mode-capable
      • Access point manufacturer, model, and MAC address
      • WDI Version
      • Name of networking driver service
      • Wi-Fi Direct details
      • Wi-Fi device hardware ID and manufacturer
      • Wi-Fi scan attempt and item counts
      • Whether MAC randomization is supported and enabled
      • Number of supported spatial streams and channel frequencies
      • Whether Manual or Auto-connect is enabled
      • Time and result of each connection attempt
      • Airplane mode status and attempts
      • Interface description provided by the manufacturer
      • Data transfer rates
      • Cipher algorithm
      • Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
      • Mobile operator and service provider name
      • Available SSIDs and BSSIDs
      • IP Address type -- IPv4 or IPv6
      • Signal Quality percentage and changes
      • Hotspot presence detection and success rate
      • TCP connection performance
      • Miracast device names
      • Hashed IP address
      + +**Device properties sub-type:** Information about the operating system and device hardware + +- Operating system - version name, edition +- Installation type, subscription status, and genuine operating system status +- Processor architecture, speed, number of cores, manufacturer, and model +- OEM details --manufacturer, model, and serial number +- Device identifier and Xbox serial number +- Firmware/BIOS operating system -- type, manufacturer, model, and version +- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory +- Storage -- total capacity and disk type +- Battery -- charge capacity and InstantOn support +- Hardware chassis type, color, and form factor +- Is this a virtual machine? + +**Device capabilities sub-type:** Information about the capabilities of the device + +- Camera -- whether the device has a front facing camera, a rear facing camera, or both. +- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported? +- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2 +- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version +- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware +- Voice -- whether voice interaction is supported and the number of active microphones +- Number of displays, resolutions, and DPI +- Wireless capabilities +- OEM or platform face detection +- OEM or platform video stabilization and quality-level set +- Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability + +**Device preferences and settings sub-type:** Information about the device settings and user preferences + +- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security +- User-provided device name +- Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network) +- Hashed representation of the domain name +- MDM (mobile device management) enrollment settings and status +- BitLocker, Secure Boot, encryption settings, and status +- Windows Update settings and status +- Developer Unlock settings and status +- Default app choices +- Default browser choice +- Default language settings for app, input, keyboard, speech, and display +- App store update settings +- Enterprise OrganizationID, Commercial ID + +**Device peripherals sub-type:** Information about the peripherals of the device + +- Peripheral name, device model, class, manufacturer, and description +- Peripheral device state, install state, and checksum +- Driver name, package name, version, and manufacturer +- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://docs.microsoft.com/windows-hardware/drivers/install/hardware-ids) +- Driver state, problem code, and checksum +- Whether driver is kernel mode, signed, and image size + +**Device network info sub-type:** Information about the device network configuration + +- Network system capabilities +- Local or Internet connectivity status +- Proxy, gateway, DHCP, DNS details, and addresses +- Whether it's a paid or free network +- Whether the wireless driver is emulated +- Whether it's access point mode-capable +- Access point manufacturer, model, and MAC address +- WDI Version +- Name of networking driver service +- Wi-Fi Direct details +- Wi-Fi device hardware ID and manufacturer +- Wi-Fi scan attempt and item counts +- Whether MAC randomization is supported and enabled +- Number of supported spatial streams and channel frequencies +- Whether Manual or Auto-connect is enabled +- Time and result of each connection attempt +- Airplane mode status and attempts +- Interface description provided by the manufacturer +- Data transfer rates +- Cipher algorithm +- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO) +- Mobile operator and service provider name +- Available SSIDs and BSSIDs +- IP Address type -- IPv4 or IPv6 +- Signal Quality percentage and changes +- Hotspot presence detection and success rate +- TCP connection performance +- Miracast device names +- Hashed IP address ## Product and Service Usage data This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability. @@ -95,32 +178,60 @@ This type of data includes details about the usage of the device, operating syst [Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: - Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps. - - Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users. - - Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature. - - Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process. - - Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana. - - Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app. **With (optional) Tailored experiences:**
      If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example: - If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature. - - Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps. ### Data Description for Product and Service Usage data type -|Sub-type|Description and examples | -|- |- | -|App usage|Information about Windows and application usage, such as:
      • Operating system component and app feature usage
      • User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
      • Time of and count of app and component launches, duration of use, session GUID, and process ID
      • App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
      • User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
      • Cortana launch entry point and reason
      • Notification delivery requests and status
      • Apps used to edit images and videos
      • SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
      • Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
      • Emergency alerts are received or displayed statistics
      • Content searches within an app
      • Reading activity -- bookmarked, printed, or had the layout changed
      | -|App or product state|Information about Windows and application state, such as:
      • Start Menu and Taskbar pins
      • Online and offline status
      • App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
      • Personalization impressions delivered
      • Whether the user clicked on, or hovered over, UI controls or hotspots
      • User provided feedback, such as Like, Dislike or a rating
      • Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
      | -|Purchasing|Information about purchases made on the device, such as:
      • Product ID, edition ID and product URI
      • Offer details -- price
      • Date and time an order was requested
      • Microsoft Store client type -- web or native client
      • Purchase quantity and price
      • Payment type -- credit card type and PayPal
      | -|Login properties|Information about logins on the device, such as:
      • Login success or failure
      • Login sessions and state
      | + +**App usage sub-type:** Information about Windows and application usage + +- Operating system component and app feature usage +- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites +- Time of and count of app and component launches, duration of use, session GUID, and process ID +- App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction +- User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long +- Cortana launch entry point and reason +- Notification delivery requests and status +- Apps used to edit images and videos +- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines +- Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines +- Emergency alerts are received or displayed statistics +- Content searches within an app +- Reading activity -- bookmarked, printed, or had the layout changed + +**App or product state sub-type:** Information about Windows and application state + +- Start Menu and Taskbar pins +- Online and offline status +- App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture +- Personalization impressions delivered +- Whether the user clicked on, or hovered over, UI controls or hotspots +- User provided feedback, such as Like, Dislike or a rating +- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to. + +**Purchasing sub-type:** Information about purchases made on the device + +- Product ID, edition ID and product URI +- Offer details -- price +- Date and time an order was requested +- Microsoft Store client type -- web or native client +- Purchase quantity and price +- Payment type -- credit card type and PayPal + +**Login properties sub-type:** Information about logins on the device + +- Login success or failure +- Login sessions and state ## Product and Service Performance data This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data. @@ -131,35 +242,109 @@ This type of data includes details about the health of the device, operating sys [Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: - Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations. - - Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance. - - Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance. - - Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance. **With (optional) Tailored experiences:**
      If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. - Data about battery performance on a device may be used to recommend settings changes that can improve battery performance. - - If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space. - - If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps. **Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.** ### Data Description for Product and Service Performance data type -|Sub-type|Description and examples | -|- |- | -|Device health and crash data|Information about the device and software health, such as:
      • Error codes and error messages, name and ID of the app, and process reporting the error
      • DLL library predicted to be the source of the error -- for example, xyz.dll
      • System generated files -- app or product logs and trace files to help diagnose a crash or hang
      • System settings, such as registry keys
      • User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
      • Details and counts of abnormal shutdowns, hangs, and crashes
      • Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
      • Crash and hang dumps, including:
        • The recorded state of the working memory at the point of the crash
        • Memory in-use by the kernel at the point of the crash.
        • Memory in-use by the application at the point of the crash
        • All the physical memory used by Windows at the point of the crash
        • Class and function name within the module that failed.
        | -|Device performance and reliability data|Information about the device and software performance, such as:
        • User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
        • Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
        • In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
        • User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
        • UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
        • Disk footprint -- Free disk space, out of memory conditions, and disk score
        • Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
        • Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
        • Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
        • Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
        • Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
        • Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
        • Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
        | -|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
        • Video Width, height, color palette, encoding (compression) type, and encryption type
        • Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
        • URL for a specific two-second chunk of content if there is an error
        • Full-screen viewing mode details
        | -|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.
        • Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
        • Content type (video, audio, or surround audio)
        • Local media library collection statistics -- number of purchased tracks and number of playlists
        • Region mismatch -- User's operating system region and Xbox Live region
        | -|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
        • App accessing content and status and options used to open a Microsoft Store book
        • Language of the book
        • Time spent reading content
        • Content type and size details
        | -|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.
        • File source data -- local, SD card, network device, and OneDrive
        • Image and video resolution, video length, file sizes types, and encoding
        • Collection view or full screen viewer use and duration of view
        | -|On-device file query |Information about local search activity on the device, such as:
        • Kind of query issued and index type (ConstraintIndex or SystemIndex)
        • Number of items requested and retrieved
        • File extension of search result with which the user interacted
        • Launched item type, file extension, index of origin, and the App ID of the opening app
        • Name of process calling the indexer and the amount of time to service the query
        • A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
        | -|Entitlements |Information about entitlements on the device, such as:
        • Service subscription status and errors
        • DRM and license rights details -- Groove subscription or operating system volume license
        • Entitlement ID, lease ID, and package ID of the install package
        • Entitlement revocation
        • License type (trial, offline versus online) and duration
        • License usage session
        | + +**Device health and crash data sub-type:** Information about the device and software health + +- Error codes and error messages, name and ID of the app, and process reporting the error +- DLL library predicted to be the source of the error -- for example, xyz.dll +- System generated files -- app or product logs and trace files to help diagnose a crash or hang +- System settings, such as registry keys +- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files +- Details and counts of abnormal shutdowns, hangs, and crashes +- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data +- Crash and hang dumps, including: + - The recorded state of the working memory at the point of the crash + - Memory in-use by the kernel at the point of the crash. + - Memory in-use by the application at the point of the crash + - All the physical memory used by Windows at the point of the crash + - Class and function name within the module that failed. + +**Device performance and reliability data sub-type:** Information about the device and software performance + +- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability +- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations) +- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction +- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score +- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance +- Disk footprint -- Free disk space, out of memory conditions, and disk score +- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states +- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results +- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times +- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account +- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions +- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol +- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system + +**Movies sub-type:** Information about movie consumption functionality on the device + +> [!NOTE] +> This isn't intended to capture user viewing, listening, or habits. + +- Video Width, height, color palette, encoding (compression) type, and encryption type +- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth +- URL for a specific two-second chunk of content if there is an error +- Full-screen viewing mode details + +**Music & TV sub-type:** Information about music and TV consumption on the device + +> [!NOTE] +> This isn't intended to capture user viewing, listening, or habits. + +- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service +- Content type (video, audio, or surround audio) +- Local media library collection statistics -- number of purchased tracks and number of playlists +- Region mismatch -- User's operating system region and Xbox Live region + +**Reading sub-type:** Information about reading consumption functionality on the device + +> [!NOTE] +> This isn't intended to capture user viewing, listening, or habits. + +- App accessing content and status and options used to open a Microsoft Store book +- Language of the book +- Time spent reading content +- Content type and size details + +**Photos app sub-type:** Information about photos usage on the device + +> [!NOTE] +> This isn't intended to capture user viewing, listening, or habits. + +- File source data -- local, SD card, network device, and OneDrive +- Image and video resolution, video length, file sizes types, and encoding +- Collection view or full screen viewer use and duration of view + +**On-device file query sub-type:** Information about local search activity on the device + +- Kind of query issued and index type (ConstraintIndex or SystemIndex) +- Number of items requested and retrieved +- File extension of search result with which the user interacted +- Launched item type, file extension, index of origin, and the App ID of the opening app +- Name of process calling the indexer and the amount of time to service the query +- A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built) + +**Entitlements sub-type:** Information about entitlements on the device + +- Service subscription status and errors +- DRM and license rights details -- Groove subscription or operating system volume license +- Entitlement ID, lease ID, and package ID of the install package +- Entitlement revocation +- License type (trial, offline versus online) and duration +- License usage session ## Software Setup and Inventory data This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability. @@ -170,11 +355,8 @@ This type of data includes software installation and update information on the d [Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: - Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update. - - Data about when a download starts and finishes on a device is used to understand and address download problems. - - Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device. - - Data about the antimalware installed on a device is used to understand malware transmissions vectors. **With (optional) Tailored experiences:**
        @@ -183,10 +365,28 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud - Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store. ### Data Description for Software Setup and Inventory data type -|Sub-type|Description and examples | -|- |- | -|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:
        • App, driver, update package, or component’s Name, ID, or Package Family Name
        • Product, SKU, availability, catalog, content, and Bundle IDs
        • Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
        • Install date, method, install directory, and count of install attempts
        • MSI package and product code
        • Original operating system version at install time
        • User, administrator, or mandatory installation or update
        • Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
        | -|Device update information |Information about Windows Update, such as:
        • Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
        • Number of applicable updates, importance, and type
        • Update download size and source -- CDN or LAN peers
        • Delay upgrade status and configuration
        • Operating system uninstall and rollback status and count
        • Windows Update server and service URL
        • Windows Update machine ID
        • Windows Insider build details
        | + +**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device + +- App, driver, update package, or component’s Name, ID, or Package Family Name +- Product, SKU, availability, catalog, content, and Bundle IDs +- Operating system component, app or driver publisher, language, version and type (Win32 or UWP) +- Install date, method, install directory, and count of install attempts +- MSI package and product code +- Original operating system version at install time +- User, administrator, or mandatory installation or update +- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update + +**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device + +- Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results) +- Number of applicable updates, importance, and type +- Update download size and source -- CDN or LAN peers +- Delay upgrade status and configuration +- Operating system uninstall and rollback status and count +- Windows Update server and service URL +- Windows Update machine ID +- Windows Insider build details ## Browsing History data This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history. @@ -197,13 +397,9 @@ This type of data includes details about web browsing in the Microsoft browsers. [Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example: - Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content. - - Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain. - - Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation. - - Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature. - - Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page. **With (optional) Tailored experiences:**
        @@ -212,9 +408,17 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud - We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app. ### Data Description for Browsing History data type -|Sub-type|Description and examples | -|- |- | -|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:
        • Text typed in **Address** bar and **Search** box
        • Text selected for an **Ask Cortana** search
        • Service response time
        • Auto-completed text, if there was an auto-complete
        • Navigation suggestions provided based on local history and favorites
        • Browser ID
        • URLs (may include search terms)
        • Page title
        | + +**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device + +- Text typed in **Address** bar and **Search** box +- Text selected for an Ask Cortana search +- Service response time +- Auto-completed text, if there was an auto-complete +- Navigation suggestions provided based on local history and favorites +- Browser ID +- URLs (may include search terms) +- Page title ## Inking Typing and Speech Utterance data This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information. @@ -225,13 +429,9 @@ This type of data gathers details about the voice, inking, and typing input feat [Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example: - Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature. - - Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature. - - Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature. - - Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition. - - Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition. **With (optional) Tailored experiences:** @@ -239,26 +439,69 @@ This type of data gathers details about the voice, inking, and typing input feat **Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.** ### Data Description for Inking, Typing, and Speech Utterance data type -|Sub-type|Description and examples | -|- |- | -|Voice, inking, and typing|Information about voice, inking and typing features, such as:
        • Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
        • Pen gestures (click, double click, pan, zoom, or rotate)
        • Palm Touch x,y coordinates
        • Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
        • Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
        • Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
        • Text of speech recognition results -- result codes and recognized text
        • Language and model of the recognizer and the System Speech language
        • App ID using speech features
        • Whether user is known to be a child
        • Confidence and success or failure of speech recognition
        | + +**Voice, inking, and typing sub-type:** Information about voice, inking and typing features + +- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used +- Pen gestures (click, double click, pan, zoom, or rotate) +- Palm Touch x,y coordinates +- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate +- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user +- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user +- Text of speech recognition results -- result codes and recognized text +- Language and model of the recognizer and the System Speech language +- App ID using speech features +- Whether user is known to be a child +- Confidence and success or failure of speech recognition ## ISO/IEC 19944:2017-specific terminology -This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article. -|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes | -|-|-|-| -|Provide |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.| -|Improve |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.| -|Personalize |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.| -|Recommend |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.

        Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.| -|Offer |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.

        Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.| -|Promote|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.| +This section provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article. -

        +### Provide -|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes | -|-|-|-| -|Pseudonymized Data |8.3.3 Pseudonymized data|As defined| -|Anonymized Data |8.3.5 Anonymized data|As defined| -|Aggregated Data |8.3.6 Aggregated data|As defined| \ No newline at end of file +ISO/IEC 19944:2017 Reference: **9.3.2 Provide** + +Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates. + +### Improve + +ISO/IEC 19944:2017 Reference: **9.3.3 Improve** + +Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users. + +### Personalize + +ISO/IEC 19944:2017 Reference: **9.3.4 Personalize** + +Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service. + +### Recommend + +ISO/IEC 19944:2017 Reference: **9.3.4 Personalize** + +“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money. + +Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement. + +### Offer + +ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell** + +Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers. + +Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement. + +### Promote + +ISO/IEC 19944:2017 Reference: **9.3.6 Market/advertise/promote** + +Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service. + +### Data identification qualifiers + +Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference: + +- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined. +- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined. +- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined. \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md index b0ee83d6a3..89c04ebc76 100644 --- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. @@ -49,7 +50,6 @@ We used the following methodology to derive these network endpoints: | *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). | | *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. | | .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | | 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | | 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. | | arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. | @@ -108,7 +108,13 @@ We used the following methodology to derive these network endpoints: | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | | wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | | www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. | @@ -192,12 +198,17 @@ We used the following methodology to derive these network endpoints: | storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | | tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | | v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | | wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. | | wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. | | www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. | @@ -265,9 +276,15 @@ We used the following methodology to derive these network endpoints: | sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. | | store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. | | tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. | -| telecommand.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | +| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. | | tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. | | wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. | -| watson.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. | + | wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. | | www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | \ No newline at end of file diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md index ea2c517a4f..76098f6d9e 100644 --- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md @@ -26,7 +26,8 @@ We used the following methodology to derive these network endpoints: 2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). 3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. 4. Compile reports on traffic going to public IP addresses. -5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. > [!NOTE] > Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md new file mode 100644 index 0000000000..284de7b96d --- /dev/null +++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md @@ -0,0 +1,159 @@ +--- +title: Windows 10, version 1809, connection endpoints for non-Enterprise editions +description: Explains what Windows 10 endpoints are used in non-Enterprise editions. +keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016 +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.localizationpriority: high +author: danihalfin +ms.author: daniha +ms.date: 6/26/2018 +--- +# Windows 10, version 1809, connection endpoints for non-Enterprise editions + + **Applies to** + +- Windows 10 Home, version 1809 +- Windows 10 Professional, version 1809 +- Windows 10 Education, version 1809 + +In addition to the endpoints listed for [Windows 10 Enterprise](manage-windows-1809-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1809. + +We used the following methodology to derive these network endpoints: + +1. Set up the latest version of Windows 10 on a test virtual machine using the default settings. +2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device). +3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic. +4. Compile reports on traffic going to public IP addresses. +5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory. +6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here. + +> [!NOTE] +> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time. + +## Windows 10 Family + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +|*.aria.microsoft.com* | HTTPS | Office Telemetry +|*.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. +|*.download.windowsupdate.com* | HTTP | Used to download operating system patches and updates. +|*.g.akamai.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. +|*.msn.com* |TLSv1.2/HTTPS | Windows Spotlight related traffic +|*.Skype.com | HTTP/HTTPS | Skype related traffic +|*.smartscreen.microsoft.com* | HTTPS | Windows Defender Smartscreen related traffic +|*.telecommand.telemetry.microsoft.com* | HTTPS | Used by Windows Error Reporting. +|*cdn.onenote.net* | HTTP | OneNote related traffic +|*displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|*emdl.ws.microsoft.com* | HTTP | Windows Update related traffic +|*geo-prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|*hwcdn.net* | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. +|*img-prod-cms-rt-microsoft-com.akamaized.net* | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). +|*maps.windows.com* | HTTPS | Related to Maps application. +|*msedge.net* | HTTPS | Used by OfficeHub to get the metadata of Office apps. +|*nexusrules.officeapps.live.com* | HTTPS | Office Telemetry +|*photos.microsoft.com* | HTTPS | Photos App related traffic +|*prod.do.dsp.mp.microsoft.com* |TLSv1.2/HTTPS | Used for Windows Update downloads of apps and OS updates. +|*wac.phicdn.net* | HTTP | Windows Update related traffic +|*windowsupdate.com* | HTTP | Windows Update related traffic +|*wns.windows.com* | HTTPS, TLSv1.2 | Used for the Windows Push Notification Services (WNS). +|*wpc.v0cdn.net* | | Windows Telemetry related traffic +|auth.gfx.ms/16.000.27934.1/OldConvergedLogin_PCore.js | | MSA related +|evoke-windowsservices-tas.msedge* | HTTPS | The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office Online. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them. +|fe2.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fe3.*.mp.microsoft.com.* |TLSv1.2/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. +|fs.microsoft.com | | Font Streaming (in ENT traffic) +|g.live.com* | HTTPS | Used by OneDrive +|iriscoremetadataprod.blob.core.windows.net | HTTPS | Windows Telemetry +|mscrl.micorosoft.com | | Certificate Revocation List related traffic. +|ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. +|officeclient.microsoft.com | HTTPS | Office related traffic. +|oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. +|purchase.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. +|ris.api.iris.microsoft.com* |TLSv1.2/HTTPS | Used to retrieve Windows Spotlight metadata. +|ris-prod-atm.trafficmanager.net | HTTPS | Azure traffic manager +|settings.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|settings-win.data.microsoft.com* | HTTPS | Used for Windows apps to dynamically update their configuration. +|sls.update.microsoft.com* |TLSv1.2/HTTPS | Enables connections to Windows Update. +|store*.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. +|storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. +|store-images.s-microsoft.com* | HTTP | Used to get images that are used for Microsoft Store suggestions. +|tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. +|tsfe.trafficshaping.dsp.mp.microsoft.com* |TLSv1.2 | Used for content regulation. +|v10.events.data.microsoft.com | HTTPS | Diagnostic Data +|wdcp.microsoft.* |TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. +|wd-prod-cp-us-west-1-fe.westus.cloudapp.azure.com | HTTPS | Windows Defender related traffic. +|www.bing.com* | HTTP | Used for updates for Cortana, apps, and Live Tiles. + +## Windows 10 Pro + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. | +| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. | +| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. | +| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| location-inference-westus.cloudapp.net | HTTPS | Used for location data. | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic | + + +## Windows 10 Education + +| **Destination** | **Protocol** | **Description** | +| --- | --- | --- | +| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. | +| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. | +| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. | +| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. | +| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. | +| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. | +| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Office 365 portal’s shared infrastructure, including Office Online. | +| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values.  | +| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. | +| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. | +| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. | +| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. | +| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. | +| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. | +| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. | +| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. | +| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. | +| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application | +| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. | +| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Office 365 portal's shared infrastructure. | +| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. | +| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. | +| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. | +| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. | +| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. | +| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. | +| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. | +| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. | +| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. | +| bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. | diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 3743dc7b3b..e830022a97 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -59,6 +59,9 @@ This setting determines the amount of Windows diagnostic data sent to Microsoft. >| **Default setting** | 2 - Enhanced | >| **Recommended** | 2 - Enhanced | +>[!NOTE] +>When both the Computer Configuration policy and User Configuration policy are set, the more restrictive policy is used. + #### Registry > [!div class="mx-tableFixed"] @@ -123,7 +126,7 @@ This setting determines whether a device shows notifications about Windows diagn ### Configure telemetry opt-in setting user interface -This setting determines whether people can change their own Windows diagnostic data level in in *Start > Settings > Privacy > Diagnostics & feedback*. +This setting determines whether people can change their own Windows diagnostic data level in *Start > Settings > Privacy > Diagnostics & feedback*. #### Group Policy @@ -193,7 +196,7 @@ The following settings determine whether fixed and removable drives are protecte >| | | >|:-|:-| >| **MDM CSP** | BitLocker | ->| **Policy** | RemovableDrivesRequireEncryption | +>| **Policy** | FixedDrivesRequireEncryption | >| **Default setting** | Disabled | >| **Recommended** | Enabled (see [instructions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption)) | diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md index d08c52de33..5516d2dc33 100644 --- a/windows/security/identity-protection/access-control/access-control.md +++ b/windows/security/identity-protection/access-control/access-control.md @@ -126,7 +126,7 @@ For more information about auditing, see [Security Auditing Overview](/windows/d ## See also -- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/en-us/library/jj134043(v=ws.11).aspx). +- For more information about access control and authorization, see [Access Control and Authorization Overview](https://technet.microsoft.com/library/jj134043(v=ws.11).aspx).   diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index b7b1c25886..53820f7491 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.date: 07/30/2018 +ms.date: 12/10/2018 --- # Local Accounts @@ -16,15 +16,8 @@ ms.date: 07/30/2018 This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller. -**Did you mean…** - -- [Active Directory Accounts](active-directory-accounts.md) - -- [Microsoft Accounts](microsoft-accounts.md) - ## About local user accounts - Local user accounts are stored locally on the server. These accounts can be assigned rights and permissions on a particular server, but on that server only. Local user accounts are security principals that are used to secure and manage access to the resources on a standalone or member server for services or users. This topic describes the following: @@ -96,7 +89,7 @@ Because the Administrator account is known to exist on many versions of the Wind You can rename the Administrator account. However, a renamed Administrator account continues to use the same automatically assigned security identifier (SID), which can be discovered by malicious users. For more information about how to rename or disable a user account, see [Disable or activate a local user account](https://technet.microsoft.com/library/cc732112.aspx) and [Rename a local user account](https://technet.microsoft.com/library/cc725595.aspx). -As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](https://technet.microsoft.com/en-us/library/cc732200.aspx). +As a security best practice, use your local (non-Administrator) account to sign in and then use **Run as administrator** to accomplish tasks that require a higher level of rights than a standard user account. Do not use the Administrator account to sign in to your computer unless it is entirely necessary. For more information, see [Run a program with administrative credentials](https://technet.microsoft.com/library/cc732200.aspx). In comparison, on the Windows client operating system, a user with a local user account that has Administrator rights is considered the system administrator of the client computer. The first local user account that is created during installation is placed in the local Administrators group. However, when multiple users run as local administrators, the IT staff has no control over these users or their client computers. @@ -475,14 +468,9 @@ Passwords can be randomized by: - Purchasing and implementing an enterprise tool to accomplish this task. These tools are commonly referred to as "privileged password management" tools. -- Configuring, customizing and implementing a free tool to accomplish this task. A sample tool with source code is available at [Solution for management of built-in Administrator account’s password via GPO](https://code.msdn.microsoft.com/windowsdesktop/Solution-for-management-of-ae44e789). +- Configuring [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/download/details.aspx?id=46899) to accomplish this task. - **Note**   - This tool is not supported by Microsoft. There are some important considerations to make before deploying this tool because this tool requires client-side extensions and schema extensions to support password generation and storage. - -   - -- Create and implement a custom script or solution to randomize local account passwords. +- Creating and implementing a custom script or solution to randomize local account passwords. ## See also diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index 32cfdf5470..2ce6157d51 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -74,7 +74,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication   ##### How a certificate issuance policy can be used for access control -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet. **To see the issuance policies available** diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md index 37b2f2e983..41b2e20eb2 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md @@ -63,7 +63,7 @@ Beginning with Windows 10 and Windows Server 2016, domain-devices automatically Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](https://docs.microsoft.com/windows-server/security/kerberos/domain-joined-device-public-key-authentication). -Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/en-us/library/cc980032.aspx). +Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](https://docs.microsoft.com/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx). ### Breaking DPAPI on domain-joined devices On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible. @@ -88,7 +88,7 @@ Once the device has connectivity to the domain controllers, DPAPI recovers the u #### Impact of DPAPI failures on Windows Information Protection When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed. -**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). +**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate). ## See also diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 99f325055f..f5edbab628 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -99,7 +99,7 @@ CertReq -EnrollCredGuardCert MachineAuthentication   ##### How a certificate issuance policy can be used for access control -Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/en-us/library/dd378897(v=ws.10).aspx) on TechNet. +Beginning with the Windows Server 2008 R2 domain functional level, domain controllers support for authentication mechanism assurance provides a way to map certificate issuance policy OIDs to universal security groups. Windows Server 2012 domain controllers with claim support can map them to claims. To learn more about authentication mechanism assurance, see [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](https://technet.microsoft.com/library/dd378897(v=ws.10).aspx) on TechNet. **To see the issuance policies available** @@ -152,7 +152,7 @@ Authentication policies have the following requirements: To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. -To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx). +To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx). diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 2e605bc8fe..ccbb1809a4 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -47,7 +47,7 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/) -For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements) +For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/windows/access-protection/remote-credential-guard#hardware-and-software-requirements) ## Application requirements @@ -120,7 +120,7 @@ The following tables describe baseline protections, plus protections for improve | Protections for Improved Security | Description |Security Benefits | |---|---|---| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
        Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
        • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
        • HSTI provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | **Requirements**:
        Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)
        • The Hardware Security Test Interface (HSTI) must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/library/windows/hardware/mt712332(v=vs.85).aspx). | Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
        • HSTI provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | **Requirements**: Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | **Requirements**:
        • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
        • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software. | • Enterprises can choose to allow proprietary EFI drivers/applications to run.
        • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 570b69dde7..4cf3f03202 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -25,7 +25,7 @@ The following guidance describes deploying a new instance of Active Directory Fe If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. +If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. @@ -37,7 +37,7 @@ Prepare the Active Directory Federation Services deployment by installing and up Sign-in the federation server with _local admin_ equivalent credentials. 1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). +2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). >[!IMPORTANT] >The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md index e8ac53a3f2..be690848aa 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md @@ -353,7 +353,7 @@ The Web Service SDK section allows the administrator to install the Multi-Factor Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK. +Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK. ## Install Secondary MFA Servers diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 97f8ceee36..f33d7bbf02 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -131,7 +131,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 63ea357adc..ea525b612e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -35,10 +35,10 @@ On-premises deployments, both key and certificate trust, use the Azure MFA serve A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. +Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. >[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article. +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article. Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 2a7d32efaf..c34aaa4692 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -88,13 +88,13 @@ The **certificate trust** model authenticates to Active Directory using a certif There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment ## What attributes are synchronized by Azure AD Connect with Windows Hello for Business? -Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. +Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes. ## Is Windows Hello for Business multifactor authentication? Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor". ## What are the biometric requirements for Windows Hello for Business? -Read [Windows Hello biometric requirements](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. +Read [Windows Hello biometric requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information. ## Can I use PIN and biometrics to unlock my device? Starting in Windows 10, version 1709, you can use multi-factor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](feature-multifactor-unlock.md). @@ -140,17 +140,17 @@ Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TP Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require Internet connectivity to achieve an air-gapped Windows Hello for Business deployment. ## Can I use third-party authentication providers with Windows Hello for Business? -Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). +Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods). ## Does Windows Hello for Business work with third party federation servers? Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) | Protocol | Description | | :---: | :--- | -| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | -| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | -| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | -| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. | +| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | +| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. | +| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | +| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. | ## Does Windows Hello for Business work with Mac and Linux clients? Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration) diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index 5efa0cb2b4..d3128c154a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -38,7 +38,7 @@ In a mobile-first, cloud-first world, Azure Active Directory enables single sign To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access. -Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access. +Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access. ## Dynamic lock @@ -118,7 +118,7 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput 4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. #### Configure Windows devices to use PIN reset using Microsoft Intune -To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): +To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP): ##### Create a PIN Reset Device configuration profile using Microsoft Intune @@ -165,7 +165,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 4. When finished, unlock your desktop using your newly created PIN. >[!NOTE] -> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. +> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. ## Dual Enrollment @@ -178,7 +178,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e > This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature. > [!IMPORTANT] -> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information. +> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information. Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device. @@ -250,7 +250,7 @@ This same concept applies to Windows Hello for Business. Except, the keys are cr Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. ### Compatibility -Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. +Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it. ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 7ae1ab1d14..a3d175023d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -19,7 +19,7 @@ Windows Hello for Business authentication is passwordless, two-factor authentica Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
        [Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
        -[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)
        +[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)
        [Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
        [Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
        [Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
        @@ -38,7 +38,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c [Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Key -![Azure AD join authentication to Active Direotory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) +![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) | Phase | Description | diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index d2f8d995f9..5fc6baceb5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -17,10 +17,10 @@ ms.date: 08/19/2018 Device Registration is a prerequisite to Windows Hello for Business provisioning. Device registration occurs regardless of a cloud, hybrid, or on-premises deployments. For cloud and hybrid deployments, devices register with Azure Active Directory. For on-premises deployments, devices registered with the enterprise device registration service hosted by Active Directory Federation Services (AD FS). -[Azure AD joined in Managed environments](#Azure-AD-joined-in-Managed-environments)
        -[Azure AD joined in Federated environments](#Azure-AD-joined-in-Federated-environments)
        -[Hybrid Azure AD joined in Managed environments](#HybridAzure-AD-joined-in-Managed-environments)
        -[Hybrid Azure AD joined in Federated environments](#Hybrid-Azure-AD-joined-in-Federated-environments)
        +[Azure AD joined in Managed environments](#azure-ad-joined-in-managed-environments)
        +[Azure AD joined in Federated environments](#azure-ad-joined-in-federated-environments)
        +[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
        +[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
        @@ -47,7 +47,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | :----: | :----------- | |A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application. The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints. Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.| |B | The application builds a sign-in request for the authorization end point and collects user credentials.| +<<<<<<< HEAD |C | After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user. This determines if the environment is managed or federated. Azure returns the information in a JSON object. The application determines the environment is managed (non-federated).
        The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object. The application collects credentials through the STS web page.| +======= +|C | After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user. This determines if the environment is managed or federated. Azure returns the information in a JSON object. The application determines the environment is federated.
        The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object. The application collects credentials through the STS web page.| +>>>>>>> master |D | The application POST the credential to the on-premises STS, which may require additional factors of authentication. The on-premises STS authenticates the user and returns a token. The application POSTs the token to Azure Active Directory for authentication. Azure Active Directory validates the token and returns an ID token with claims.| |E | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use. This step is optional and skipped if the claim is not present or if the claim value is empty.| |F | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS). Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.| diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index e48b498d4e..ab1a856a27 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -8,33 +8,33 @@ ms.pagetype: security author: mikestephens-MS ms.author: mstephen localizationpriority: high -ms.date: 08/19/2018 +ms.date: 10/08/2018 --- # Technology and Terms **Applies to:** - Windows 10 -- [Attestation Identity Keys](#Attestation-Identity-Keys) -- [Azure AD Joined](#Azure-AD-Joined) -- [Azure AD Registered](#Azure-AD-Registered) -- [Certificate Trust](#Certificate-Trust) -- [Cloud Deployment](#Cloud-Deployment) -- [Deployment Type](#Deployment-Type) -- [Endorsement Key](#Endorsement-Key) -- [Federated Environment](#Federated-Environment) -- [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined) -- [Hybrid Deployment](#Hybrid-Deployment) -- [Join Type](#Join-Type) -- [Key Trust](#Key-Trust) -- [Managed Environment](#Managed-Environment) -- [On-premises Deployment](#Onpremises-Deployment) -- [Pass-through Authentication](#Passthrough-Authentication) -- [Password Hash Synchronization](#Password-Hash-Synchronization) -- [Primary Refresh Token](#Primary-Refresh-Token) -- [Storage Root Key](#Storage-Root-Key) -- [Trust Type](#Trust-Type) -- [Trusted Platform Module](#Trusted-Platform-Module) +- [Attestation Identity Keys](#attestation-identity-keys) +- [Azure AD Joined](#azure-ad-joined) +- [Azure AD Registered](#azure-ad-registered) +- [Certificate Trust](#certificate-trust) +- [Cloud Deployment](#cloud-deployment) +- [Deployment Type](#deployment-type) +- [Endorsement Key](#endorsement-key) +- [Federated Environment](#federated-environment) +- [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) +- [Hybrid Deployment](#hybrid-deployment) +- [Join Type](#join-type) +- [Key Trust](#key-trust) +- [Managed Environment](#managed-environment) +- [On-premises Deployment](#on-premises-deployment) +- [Pass-through Authentication](#passthrough-authentication) +- [Password Hash Synchronization](#password-hash-synchronization) +- [Primary Refresh Token](#primary-refresh-token) +- [Storage Root Key](#storage-root-key) +- [Trust Type](#trust-type) +- [Trusted Platform Module](#trusted-platform-module)
        ## Attestation Identity Keys @@ -44,58 +44,57 @@ Because the endorsement certificate is unique for each device and does not chang > The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft -Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device. +Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device. Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. ### Related topics -[Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module) +[Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) ### More information -- [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/en-us/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab) +- [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab) - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Azure AD Joined Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources. ### Related topics -[Join Type](#Join-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined) +[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) ### More information - - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction). + - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction). -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Azure AD Registered The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Join Type](#Join-Type) +[Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type) ### More information -- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) +- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Certificate Trust The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers. ### Related topics -[Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type) +[Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Cloud Deployment The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Deployment Type](#Deployment-Type), [Join Type](#Join-Type) +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Deployment Type Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include: - Cloud @@ -103,12 +102,12 @@ Windows Hello for Business has three deployment models to accommodate the needs - On-Premises ### Related topics -[Cloud Deployment](#Cloud-Deployment), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment) +[Cloud Deployment](#cloud-deployment), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Endorsement Key The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). @@ -121,139 +120,144 @@ The endorsement key is often accompanied by one or two digital certificates: - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. + For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. ### Related topics -[Attestation Identity Keys](#Attestation-Identity-Keys), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module) +[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) ### More information - [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952). - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Federated Environment Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD. ### Related topics -[Hybrid Deployment](#Hybrid-Deployment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Sync](#Password-Hash-Sync) +[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync) ### More information -- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn) +- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Hybrid Azure AD Joined For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable: - IT departments to manage work-owned devices from a central location. - Users to sign in to their devices with their Active Directory work or school accounts. Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them. + If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Deployment](#Hybrid-Deployment) +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment) ### More information -- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) +- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Hybrid Deployment The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory. Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Join type Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined. + Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device. + When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune . + Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account. ### Related topics -[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined) +[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) ### More information -- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) +- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Key Trust The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers. ### Related topics -[Certificate Trust](#Certificate-Trust), [Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type), [Trust Type](#Trust-Type) +[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Managed Environment Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. ### Related topics -[Federated Environment](#Federated-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Synchronization](#Password-Hash-Synchronization) +[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization) [Return to Top](#Technology-and-Terms) ## On-premises Deployment The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust. ### Related topics -[Cloud Deployment](#Cloud-Deployment), [Deployment Type](#Deployment-Type), [Hybrid Deployment](#Hybrid-Deployment) +[Cloud Deployment](#cloud-deployment), [Deployment Type](#deployment-type), [Hybrid Deployment](#hybrid-deployment) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Pass-through authentication Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related topics -[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Password Hash Synchronization](#Password-Hash-Synchronization) +[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization) ### More information -- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn) +- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#Technology-and-Terms) +[Return to Top](#hello-how-it-works-technology.md) ## Password Hash Sync The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network. ### Related topics -[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication) +[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication) ### More information -- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn) +- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Primary Refresh Token SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device. -The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and domain joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). +The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.). -The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. +The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied. [Return to Top](#Technology-and-Terms) ## Storage Root Key The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. ### Related topics -[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Trusted Platform Module](#Trusted-Platform-Module) +[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Trusted Platform Module](#trusted-platform-module) ### More information [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Trust type The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type does not affect authentication to Azure Active Directory. Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment). ### Related topics -[Certificate Trust](#Certificate-Trust), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment) +[Certificate Trust](#certificate-trust), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment) ### More information - [Windows Hello for Business Planning Guide](hello-planning-guide.md) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) ## Trusted Platform Module A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
        @@ -264,9 +268,9 @@ A TPM implements controls that meet the specification described by the Trusted C - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. -Windows10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). +Windows�10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948). -Windows10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows10 supports only TPM 2.0. +Windows�10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows�10 supports only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: @@ -289,12 +293,12 @@ In a simplified manner, the TPM is a passive component with limited resources. I ### Related topics -[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key) +[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key) ### More information - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/) -[Return to Top](#Technology-and-Terms) +[Return to Top](hello-how-it-works-technology.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index fab2f25e0b..42d6273775 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -30,13 +30,13 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing - Domain Controller certificate ### Azure Active Directory Connect synchronization -Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect). +Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks. ![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png) ### Azure Active Directory Device Registration -A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/devices/overview). +A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/devices/overview). You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory. ![dsregcmd outpout](images/aadj/dsregcmd.png) @@ -225,7 +225,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, 7. Repeat this procedure on all your domain controllers. > [!NOTE] -> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide) to learn how to deploy automatic certificate enrollment for domain controllers. +> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-deployment-guide) to learn how to deploy automatic certificate enrollment for domain controllers. > [!IMPORTANT] > If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d47f46ccc8..d855efc036 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -100,7 +100,7 @@ Sign-in to a domain controller or management workstation with access equivalent 4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog. > [!NOTE] -> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. +> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration. ### Create the NDES Service Account The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account. @@ -686,4 +686,4 @@ You have successfully completed the configuration. Add users that need to enrol > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune > * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) \ No newline at end of file +> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 33d6215205..376c0f16f1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -83,7 +83,7 @@ If you do have an existing public key infrastructure, please review [Certificati ## Azure Active Directory ## You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. -The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. +The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. ### Section Review @@ -95,7 +95,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h ## Multifactor Authentication Services Windows Hello for Business uses multi-factor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multi-factor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA -Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. +Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. ### Azure Multi-Factor Authentication (MFA) Cloud ### > [!IMPORTANT] @@ -107,16 +107,16 @@ As long as your users have licenses that include Azure Multi-Factor Authenticati > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. #### Azure MFA Provider #### -If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. +If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. #### Configure Azure MFA Settings #### -Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. +Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States #### -After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. ### Azure MFA via ADFS 2016 ### -Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section +Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section ### Section Review diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1ad4aaad24..74d04ce826 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -19,7 +19,7 @@ ms.date: 08/18/2018 - Certificate trust -You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. +Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication. > [!IMPORTANT] > If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment. @@ -35,12 +35,12 @@ Use this three phased approach for configuring device registration. > * Azure AD joined devices > * Hybrid Azure AD joined devices > -> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) +> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction) ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/) +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) ## Configure Active Directory to support Azure device synchronization @@ -82,23 +82,23 @@ Sign-in to the domain controller hosting the schema master operational role usin ### Setup Active Directory Federation Services -If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. -Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. +If you are new to AD FS and federation services, you should review [Understanding Key AD FS Concepts](https://docs.microsoft.com/windows-server/identity/ad-fs/technical-reference/understanding-key-ad-fs-concepts) to prior to designing and deploying your federation service. +Review the [AD FS Design guide](https://docs.microsoft.com/windows-server/identity/ad-fs/design/ad-fs-design-guide-in-windows-server-2012-r2) to plan your federation service. -Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. +Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment. > [!IMPORTANT] > During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures. -The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) #### ADFS Web Proxy ### Federation server proxies are computers that run AD FS software that have been configured manually to act in the proxy role. You can use federation server proxies in your organization to provide intermediary services between an Internet client and a federation server that is behind a firewall on your corporate network. -Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. +Use the [Setting of a Federation Proxy](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment. ### Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). -When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. +When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**. ### Create AD objects for AD FS Device Authentication If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration. @@ -320,8 +320,8 @@ In the claim above, - `$` is the AD FS service URL - `` is a placeholder you need to replace with one of your verified domain names in Azure AD -For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain). -To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. +For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-add-domain). +To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet. #### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set) @@ -514,4 +514,4 @@ For your reference, below is a comprehensive list of the AD DS devices, containe 3. [New Installation Baseline](hello-hybrid-cert-new-install.md) 4. Configure Azure Device Registration (*You are here*) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 3885bdbc50..92edeb0db7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -72,20 +72,20 @@ Organizations using older directory synchronization technology, such as DirSync ### Section Review > [!div class="checklist"] > * Azure Active Directory Connect directory synchronization -> * [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) -> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) +> * [Upgrade from DirSync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) +> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version)
        ## Federation ## Federating your on-premises Active Directory with Azure Active Directory ensures all identities have access to all resources regardless if they reside in cloud or on-premises. Windows Hello for Business hybrid certificate trust needs Windows Server 2016 Active Directory Federation Services. All nodes in the AD FS farm must run the same version of AD FS. Additionally, you need to configure your AD FS farm to support Azure registered devices. -The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) +The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) ### Section Review ### > [!div class="checklist"] > * Windows Server 2016 Active Directory Federation Services -> * Minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889) +> * Minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889)
        diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md index 30efcbd805..2ee49c9aae 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md @@ -21,7 +21,7 @@ ms.date: 09/08/2017 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario. -It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). +It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 124a34248b..a0296bf8a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -48,14 +48,14 @@ The provisioning flow has all the information it needs to complete the Windows H The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect synchronizes the user's key to the on-premises Active Directory. > [!IMPORTANT] -> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). +> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. > **This synchronization latency delays the user's ability to authenticate and use on-premises resouces until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. -> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. +> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] -> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. +> Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889) provides synchronous certificate enrollment during hybrid certificate trust provisioning. With this update, users no longer need to wait for Azure AD Connect to sync their public key on-premises. Users enroll their certificate during provisioning and can use the certificate for sign-in immediately after completeling the provisioning. After a successful key registration, Windows creates a certificate request using the same key pair to request a certificate. Windows send the certificate request to the AD FS server for certificate enrollment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index f6a16d45b9..f14eedf3af 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -24,7 +24,7 @@ Windows Hello for Business deployments rely on certificates. Hybrid deployments All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates. -## Certifcate Templates +## Certificate Templates This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority. @@ -146,7 +146,8 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ >[!NOTE] >If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. -Publish Templates + +## Publish Templates ### Publish Certificate Templates to a Certificate Authority diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 8ec23ffcaa..20620f9410 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -75,7 +75,7 @@ If you do not have an existing public key infrastructure, please review [Certifi > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: -> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store. +> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store. > * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url. ### Section Review ### @@ -84,13 +84,13 @@ If you do not have an existing public key infrastructure, please review [Certifi > * Minimum Windows Server 2012 Certificate Authority. > * Enterprise Certificate Authority. > * Functioning public key infrastructure. -> * Root certifcate authority certificate (Azure AD Joined devices). +> * Root certificate authority certificate (Azure AD Joined devices). > * Highly available certificate revocation list (Azure AD Joined devices). ## Azure Active Directory ## You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities. -The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. +The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization. ### Section Review @@ -102,7 +102,7 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h ## Multifactor Authentication Services ## Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter -Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. +Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works. ### Azure Multi-Factor Authentication (MFA) Cloud ### > [!IMPORTANT] @@ -114,16 +114,16 @@ As long as your users have licenses that include Azure Multi-Factor Authenticati > If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section. #### Azure MFA Provider #### -If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. +If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant. #### Configure Azure MFA Settings #### -Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. +Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings. #### Azure MFA User States #### -After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. +After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users. ### Azure MFA via ADFS ### -Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. +Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section. ### Section Review @@ -131,7 +131,7 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation > * Review the overview and uses of Azure Multifactor Authentication. > * Review your Azure Active Directory subscription for Azure Multifactor Authentication. > * Create an Azure Multifactor Authentication Provider, if necessary. -> * Configure Azure Multufactor Authentiation features and settings. +> * Configure Azure Multifactor Authentiation features and settings. > * Understand the different User States and their effect on Azure Multifactor Authentication. > * Consider using Azure Multifactor Authentication or a third-party multifactor authentication provider with Windows Server Active Directory Federation Services, if necessary. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md index c4ddccad00..496b9711d3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md @@ -22,19 +22,19 @@ ms.date: 08/19/2018 You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication. > [!NOTE] -> Before proceeding, you should familiarize yourself with device regisration concepts such as: +> Before proceeding, you should familiarize yourself with device registration concepts such as: > * Azure AD registered devices > * Azure AD joined devices > * Hybrid Azure AD joined devices > -> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction) +> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/azure/active-directory/device-management-introduction) ## Configure Azure for Device Registration Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD. -To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/) +To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-setup/) -Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark. +Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.

        @@ -48,4 +48,4 @@ Next, follow the guidance on the [How to configure hybrid Azure Active Directory 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. Configure Azure Device Registration (*You are here*) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md index 041c3f0a23..ce2e65c934 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md @@ -22,7 +22,7 @@ ms.date: 08/19/2018 You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises. ## Deploy Azure AD Connect -Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). +Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771). > [!NOTE] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 00a4885e90..b6cbd28438 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -26,7 +26,7 @@ The distributed systems on which these technologies were built involved several * [Public Key Infrastucture](#public-key-infastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) -* [MultiFactor Authetication](#multifactor-authentication) +* [MultiFactor Authentication](#multifactor-authentication) * [Device Registration](#device-registration) ## Directories ## @@ -75,13 +75,13 @@ Organizations using older directory synchronization technology, such as DirSync ### Section Review > [!div class="checklist"] > * Azure Active Directory Connect directory synchronization -> * [Upgrade from DirSync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) -> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version) +> * [Upgrade from DirSync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-dirsync-upgrade-get-started) +> * [Upgrade from Azure AD Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-upgrade-previous-version)
        ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index 8fb2bf361a..5387747964 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -21,7 +21,7 @@ ms.date: 08/20/2018 Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. -It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). +It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index fecb1059be..06a470b1ce 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -50,7 +50,7 @@ The remainder of the provisioning includes Windows Hello for Business requesting > [!IMPORTANT] > The minimum time needed to synchronize the user's public key from Azure Active Directory to the on-premises Active Directory is 30 minutes. The Azure AD Connect scheduler controls the synchronization interval. > **This synchronization latency delays the user's ability to authenticate and use on-premises resources until the user's public key has synchronized to Active Directory.** Once synchronized, the user can authenticate and use on-premises resources. -> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. +> Read [Azure AD Connect sync: Scheduler](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-feature-scheduler) to view and adjust the **synchronization cycle** for your organization. > [!NOTE] > Microsoft is actively investigating ways to reduce the synchronization latency and delays. @@ -60,10 +60,10 @@ The remainder of the provisioning includes Windows Hello for Business requesting
        ## Follow the Windows Hello for Business hybrid key trust deployment guide -1. [Overview](hello-hybrid-cert-trust.md) -2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md) -3. [New Installation Baseline](hello-hybrid-cert-new-install.md) +1. [Overview](hello-hybrid-key-trust.md) +2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) +3. [New Installation Baseline](hello-hybrid-key-new-install.md) 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) -5. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) -6. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) +5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) +6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) 7. Sign-in and Provision(*You are here*) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 4679d66c11..70dd6093e7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -19,7 +19,7 @@ ms.date: 08/19/2018 - Key trust -## Directory Syncrhonization +## Directory Synchronization In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. @@ -31,7 +31,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. -3. Right-click **KeyAdmins** in the details pane and click **Properties**. +3. Right-click **Key Admins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 34a61661eb..4d03a84747 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -48,7 +48,7 @@ The table shows the minimum requirements for each deployment. | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) (hybrid Azure AD joined clients),
        and
        Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | +| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
        and
        Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter| Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
        AD FS w/Azure MFA adapter, or
        AD FS w/Azure MFA Server adapter, or
        AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | @@ -65,6 +65,6 @@ The table shows the minimum requirements for each deployment. | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | +| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) | | AD FS with Azure MFA Server, or
        AD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, or
        AD FS with 3rd Party MFA Adapter | | Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing | diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 125313997c..2bc92aac17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -25,7 +25,7 @@ The following guidance describes deploying a new instance of Active Directory Fe If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. +If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. @@ -37,7 +37,7 @@ Prepare the Active Directory Federation Services deployment by installing and up Sign-in the federation server with _local admin_ equivalent credentials. 1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). +2. Ensure the latest server updates to the federation server includes [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889). >[!IMPORTANT] >The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md index 67a8061c4d..b8d18d2c76 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md @@ -353,7 +353,7 @@ The Web Service SDK section allows the administrator to install the Multi-Factor Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK. +Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK. ## Install Secondary MFA Servers diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index bbc808feae..f9c8f46088 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -104,7 +104,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m ## Review Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) +* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions) * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting. * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index f657b6ca14..cd419ac1a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -35,10 +35,10 @@ On-premises deployments, both key and certificate trust, use the Azure MFA serve A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. +Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. >[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article. +>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article. Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md). diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md new file mode 100644 index 0000000000..fb9afb773b --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md @@ -0,0 +1,31 @@ +--- +title: Microsoft-compatible security key +description: Windows10 enables users to sign in to their device using a security key. How is a Microsoft-compatible security key different (and better) than any other FIDO2 security key +keywords: FIDO2, security key, CTAP, Hello, WHFB +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security, mobile +author: aabhathipsay +ms.author: aathipsa +ms.localizationpriority: medium +ms.date: 11/14/2018 +--- +# What is a Microsoft-compatible security key? +> [!Warning] +> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + + +Microsoft has been aligned with the [FIDO Alliance](https://fidoalliance.org/) with a mission to replace passwords with an easy to use, strong 2FA credential. We have been working with our partners to extensively test and deliver a seamless and secure authentication experience to end users. + +The [FIDO2 CTAP specification](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html) contains a few optional features and extensions which are crucial to provide that seamless and secure experience. + +A security key **MUST** implement the following features and extensions from the FIDO2 CTAP protocol to be Microsoft-compatible: + +| #
        | Feature / Extension trust
        | Why is this required?
        | +| --- | --- | --- | +| 1 | Resident key | This feature enables the security key to be portable, where your credential is stored on the security key | +| 2 | Client pin | This feature enables you to protect your credentials with a second factor and applies to security keys that do not have an user interface| +| 3 | hmac-secret | This extension ensures you can sign-in to your device when it's off-line or in airplane mode | +| 4 | Multiple accounts per RP | This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD) | + diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 0836a4dfc0..89535ec25d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -22,7 +22,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm. diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index 36ee129b4c..3312502f59 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -58,7 +58,7 @@ Use the following table to compare different Remote Desktop connection security
        For further technical information, see [Remote Desktop Protocol](https://msdn.microsoft.com/library/aa383015(v=vs.85).aspx) -and [How Kerberos works](https://technet.microsoft.com/en-us/library/cc961963.aspx(d=robot)) +and [How Kerberos works](https://technet.microsoft.com/library/cc961963.aspx(d=robot))
        @@ -72,7 +72,7 @@ Therefore, we recommend instead that you use the Restricted Admin mode option. F To further harden security, we also recommend that you implement Local Administrator Password Solution (LAPS), a Group Policy client-side extension (CSE) introduced in Windows 8.1 that automates local administrator password management. LAPS mitigates the risk of lateral escalation and other cyberattacks facilitated when customers use the same administrative local account and password combination on all their computers. You can download and install LAPS [here](https://www.microsoft.com/en-us/download/details.aspx?id=46899). -For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/en-us/library/security/3062591.aspx). +For further information on LAPS, see [Microsoft Security Advisory 3062591](https://technet.microsoft.com/library/security/3062591.aspx). @@ -157,6 +157,8 @@ If you don't use Group Policy in your organization, or if not all your remote ho mstsc.exe /remoteGuard ``` +> [!NOTE] +> The user must be part of administrators group. ## Considerations when using Windows Defender Remote Credential Guard diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md index 3d9aa22025..39707aa3da 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md +++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md @@ -71,7 +71,7 @@ Example: **certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"** -For information about this option for the command-line tool, see [-dsPublish](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_dsPublish). +For information about this option for the command-line tool, see [-dsPublish](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_dsPublish). ### Remote Desktop Services and smart card sign-in across domains @@ -79,7 +79,7 @@ To enable remote access to resources in an enterprise, the root certificate for **certutil -scroots update** -For information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_SCRoots). +For information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_SCRoots). For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line: @@ -87,7 +87,7 @@ For Remote Desktop Services across domains, the KDC certificate of the RD Sessio Where <*CertFile*> is the root certificate of the KDC certificate issuer. -For information about this option for the command-line tool, see [-addstore](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_addstore). +For information about this option for the command-line tool, see [-addstore](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_addstore). > **Note**  If you use the credential SSP on computers running the supported versions of the operating system that are designated in the **Applies To** list at the beginning of this topic: To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller. diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md index b517556f40..e33b59d31c 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md +++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md @@ -26,7 +26,7 @@ For smart cards, Windows supports a provider architecture that meets the secure - [Smart card subsystem architecture](#smart-card-subsystem-architecture) ## Credential provider architecture diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index 0542b750c5..4354757189 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -310,7 +310,7 @@ To deploy root certificates on a smart card for the currently joined domain, you **certutil -scroots update** -For more information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx#BKMK_SCRoots). +For more information about this option for the command-line tool, see [-SCRoots](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx#BKMK_SCRoots). ## See also diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md index cc4e495d4f..52c470aa92 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md +++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md @@ -31,7 +31,7 @@ Debugging and tracing smart card issues requires a variety of tools and approach ## Certutil -For a complete description of Certutil including examples that show how to use it, see [Certutil \[W2012\]](https://technet.microsoft.com/en-us/library/cc732443(v=ws.11).aspx). +For a complete description of Certutil including examples that show how to use it, see [Certutil \[W2012\]](https://technet.microsoft.com/library/cc732443(v=ws.11).aspx). ### List certificates available on the smart card diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index b5020571a1..851edc7279 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -7,7 +7,7 @@ ms.mktglfcycl: operate ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 11/16/2018 --- # How User Account Control works @@ -156,36 +156,40 @@ To better understand each component, review the table below:

        Check UAC slider level

       diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 9389cb58ae..b5fede2f00 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -80,7 +80,7 @@ If the credentials are certificate-based, then the elements in the following tab ## NDES server configuration The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used. -For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/en-us/intune/deploy-use/Configure-certificate-infrastructure-for-scep). +For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/intune/deploy-use/Configure-certificate-infrastructure-for-scep). ## Active Directory requirements diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index 92165eb4e0..ccd3bb3219 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -26,9 +26,9 @@ Conditional Access Platform components used for Device Compliance include the fo - [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn) -- [Azure AD Connect Health](https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health) +- [Azure AD Connect Health](https://docs.microsoft.com/azure/active-directory/connect-health/active-directory-aadconnect-health) -- [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional) +- [Windows Health Attestation Service](https://technet.microsoft.com/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional) - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index 42fa462528..2703ed270a 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -17,7 +17,7 @@ ms.date: 07/27/2017 - Windows 10 - Windows 10 Mobile -This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/en-us/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. +This guide will walk you through the decisions you will make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10. ![Intune VPN policy template](images/vpn-intune-policy.png) diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md index 00aaec6903..d1af453ff6 100644 --- a/windows/security/information-protection/TOC.md +++ b/windows/security/information-protection/TOC.md @@ -30,28 +30,29 @@ ## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) -### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) -#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) -##### [Deploy your Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) -#### [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) -##### [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) -##### [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) -#### [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) -### [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) -#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) -### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) -### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](windows-information-protection\wip-app-enterprise-context.md) -### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) -### [Testing scenarios for Windows Information Protection (WIP)](windows-information-protection\testing-scenarios-for-wip.md) -### [Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) -### [How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) -### [General guidance and best practices for Windows Information Protection (WIP)](windows-information-protection\guidance-and-best-practices-wip.md) -#### [Enlightened apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md) -#### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) -#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) -#### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) -### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md) +### [Create a WIP policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md) +#### [Create a WIP policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) +##### [Deploy your WIP policy using the classic console for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) +##### [Associate and deploy a VPN policy for WIP using the classic console for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md) +#### [Create a WIP policy with MDM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune-azure.md) +##### [Deploy your WIP policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md) +##### [Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md) +#### [Create a WIP policy with MAM using the Azure portal for Microsoft Intune](windows-information-protection\create-wip-policy-using-mam-intune-azure.md) +### [Create a WIP policy using System Center Configuration Manager](windows-information-protection\overview-create-wip-policy-sccm.md) +#### [Create and deploy a WIP policy using System Center Configuration Manager](windows-information-protection\create-wip-policy-using-sccm.md) +### [Create and verify an EFS Data Recovery Agent (DRA) certificate](windows-information-protection\create-and-verify-an-efs-dra-certificate.md) +### [Determine the Enterprise Context of an app running in WIP](windows-information-protection\wip-app-enterprise-context.md) +### [Mandatory tasks and settings required to turn on WIP](windows-information-protection\mandatory-settings-for-wip.md) +### [Testing scenarios for WIP](windows-information-protection\testing-scenarios-for-wip.md) +### [Limitations while using WIP](windows-information-protection\limitations-with-wip.md) +### [How to collect WIP audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) +### [General guidance and best practices for WIP](windows-information-protection\guidance-and-best-practices-wip.md) +#### [Enlightened apps for use with WIP](windows-information-protection\enlightened-microsoft-apps-and-wip.md) +#### [Unenlightened and enlightened app behavior while using WIP](windows-information-protection\app-behavior-with-wip.md) +#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP](windows-information-protection\recommended-network-definitions-for-wip.md) +#### [Using Outlook Web Access with WIP](windows-information-protection\using-owa-with-wip.md) +### [Fine-tune WIP Learning](windows-information-protection\wip-learning.md) +### [How WIP works with sensitivity labels](windows-information-protection\how-wip-works-with-labels.md) ## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md index 91d9c277db..d4ebe56664 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md @@ -98,7 +98,7 @@ It requires direct ethernet connectivity to an enterprise Windows Deployment Ser There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. -This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. +This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS. You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: @@ -107,7 +107,7 @@ You can use the System Information desktop app (MSINFO32) to check if a device h If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports: 1. Require a password for BIOS changes -2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings +2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Please refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) 3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607): - MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy @@ -188,4 +188,4 @@ For secure administrative workstations, Microsoft recommends TPM with PIN protec - [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) - [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) -- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) \ No newline at end of file +- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 29580800e7..d536281716 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: Justinha -ms.date: 10/27/2017 +ms.date: 11/06/2018 --- # Overview of BitLocker Device Encryption in Windows 10 @@ -14,7 +14,7 @@ ms.date: 10/27/2017 **Applies to** - Windows 10 -This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. +This topic explains how BitLocker Device Encryption can help protect data on devices running Windows 10. For an architectural overview about how BitLocker Device Encryption works with Secure Boot, see [Secure boot and BitLocker Device Encryption overview](https://docs.microsoft.com/windows-hardware/drivers/bringup/secure-boot-and-device-encryption-overview). For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md). @@ -84,13 +84,13 @@ Exercise caution when encrypting only used space on an existing volume on which SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives. Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements. -For more information about encrypted hard drives, see [Encrypted Hard Drive](/windows/security/hardware-protection/encrypted-hard-drive.md). +For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md). ## Preboot information protection An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it. It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided. -Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md) and [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md). +Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md). ## Manage passwords and PINs diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 430fd8fbe7..41a434f60a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -21,7 +21,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx). -Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). +Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD). ## Managing devices joined to Azure Active Directory diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png new file mode 100644 index 0000000000..9f9aea0f86 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/kernel-dma-protection-security-center.png differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg new file mode 100644 index 0000000000..f1c25c116c Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.jpg differ diff --git a/windows/security/information-protection/images/kernel-dma-protection-security-center.png b/windows/security/information-protection/images/kernel-dma-protection-security-center.png new file mode 100644 index 0000000000..dfd30ba2a2 Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-security-center.png differ diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md index 5c7a8d5795..8d7bde1868 100644 --- a/windows/security/information-protection/index.md +++ b/windows/security/information-protection/index.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 09/17/2018 +ms.date: 10/10/2018 --- # Information protection @@ -16,7 +16,7 @@ Learn more about how to secure documents and other data across your organization | Section | Description | |-|-| | [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. | -| [Encrypted Hard Drive](bitlocker/bitlocker-overview.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. | +| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. | | [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. | | [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.| | [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. | diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index fc494015d5..529d064913 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -6,7 +6,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: aadake -ms.date: 09/06/2018 +ms.date: 12/20/2018 --- # Kernel DMA Protection for Thunderbolt™ 3 @@ -19,6 +19,8 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on. +For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf). + ## Background PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations. @@ -36,17 +38,17 @@ A simple example would be a PC owner leaves the PC for a quick coffee break, and ## How Windows protects against DMA drive-by attacks -Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping). -Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. -Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. +Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external peripherals from starting and performing DMA unless the drivers for these peripherals support memory isolation (such as DMA-remapping). +Peripherals with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions. +By default, peripherals with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen. ## User experience ![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png) -A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked. -Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged. -The devices will continue to function normally if the user locks the screen or logs out of the system. +A peripheral that is incompatible with DMA-remapping will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. +Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. +The peripheral will continue to function normally if the user locks the screen or logs out of the system. ## System compatibility @@ -59,26 +61,34 @@ Systems released prior to Windows 10 version 1803 do not support Kernel DMA Prot >[!NOTE] >Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals. -## Enabling Kernel DMA protection +## How to check if Kernel DMA Protection is enabled Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required. -**To check if a device supports kernel DMA protection** +### Using Security Center + +Beginning with Wndows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**. + +![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png) + +### Using System information 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. 2. Check the value of **Kernel DMA Protection**. - ![Kernel DMA protection](bitlocker/images/kernel-dma-protection.png) + ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) 3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO: - Reboot into BIOS settings - Turn on Intel Virtualization Technology. - - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in BitLocker Countermeasures. + - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows 10. -4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. +4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. + +For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ## Frequently asked questions -### Do in-market systems support Kernel DMA protection for Thunderbolt™ 3? -In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. +### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3? +In-market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees that cannot be backported to previously released devices. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot? No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. @@ -98,10 +108,13 @@ In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Co ### Do drivers for non-PCI devices need to be compatible with DMA-remapping? No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping. -### How can an enterprise enable the “External device enumeration” policy? -The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM): +### How can an enterprise enable the External device enumeration policy? +The External device enumeration policy controls whether to enumerate external peripherals that are not compatible with DMA-remapping. Peripherals that are compatible with DMA-remapping are always enumerated. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +The policy can be enabled by using: + - Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) +- Mobile Device Management (MDM): [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies) ## Related topics diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 99a3d2d62b..cb56f52198 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.sitesec: library ms.localizationpriority: medium author: brianlic-msft -ms.date: 10/13/2017 +ms.date: 11/16/2018 --- # Secure the Windows 10 boot process @@ -122,9 +122,5 @@ Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to ## Summary Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. -For more information: - -- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/en-us/windows/jj737995.aspx) - ## Additional resources - [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc) diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md index 1f879a21ea..df37e941b5 100644 --- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -46,7 +46,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password ## Use the TPM cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule). ## Related topics diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index 1ff26cb46d..1cc72bd01d 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -75,7 +75,7 @@ The adoption of new authentication technology requires that identity providers a Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1): -• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. +• **Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM. • **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios. diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md index db918c0ba6..6f31a72d96 100644 --- a/windows/security/information-protection/tpm/manage-tpm-lockout.md +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -31,7 +31,7 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m **TPM 2.0** -TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 2 hours. This means that every continuous two hours of powered on operation without an event which increases the counter will cause the counter to decrease by 1. +TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1. If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607. diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 0d44a4282a..09faeded0c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -69,7 +69,7 @@ The TPM can be used to protect certificates and RSA keys. The TPM key storage pr ## TPM Cmdlets -You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/). ## Physical presence interface @@ -145,6 +145,6 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/en-us/powershell/module/trustedplatformmodule/) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/) - [TPM WMI providers](https://msdn.microsoft.com/library/aa376476.aspx) - [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index 792d6b059a..46b264ae30 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/16/2018 +ms.date: 11/29/2018 --- # TPM recommendations @@ -64,6 +64,9 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in - While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC. +> [!NOTE] +> TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. + ## Discrete, Integrated or Firmware TPM? There are three implementation options for TPMs: @@ -104,8 +107,8 @@ The following table defines which Windows features require TPM support. | BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required | | Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. | | Windows Defender Application Control (Device Guard) | No | Yes | Yes | | -| Windows Defender Exploit Guard | Yes | Yes | Yes | | -| Windows Defender System Guard | Yes | Yes | Yes | | +| Windows Defender Exploit Guard | No | N/A | N/A | | +| Windows Defender System Guard | Yes | No | Yes | | | Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. | | Device Health Attestation| Yes | Yes | Yes | | | Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. | @@ -113,6 +116,10 @@ The following table defines which Windows features require TPM support. | TPM Platform Crypto Provider Key Storage Provider| Yes | Yes| Yes | | | Virtual Smart Card | Yes | Yes | Yes | | | Certificate storage | No | Yes | Yes | TPM is only required when the certificate is stored in the TPM. | +| Autopilot | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | +| SecureBIO | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | +| DRTM | Yes | No | Yes | TPM 2.0 and UEFI firmware is required. | + ## OEM Status on TPM 2.0 system availability and certified parts diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 1b4e9f6f6f..3d34861247 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -9,7 +9,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms-author: v-anbic -ms.date: 08/21/2018 +ms.date: 11/29/2018 --- # Trusted Platform Module Technology Overview @@ -17,6 +17,7 @@ ms.date: 08/21/2018 **Applies to** - Windows 10 - Windows Server 2016 +- Windows Server 2019 This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication. @@ -38,7 +39,7 @@ Different versions of the TPM are defined in specifications by the Trusted Compu ### Automatic initialization of the TPM with Windows 10 -Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). +Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](https://docs.microsoft.com/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809. In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects. @@ -69,18 +70,18 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10 and Windows Server 2016 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). +> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation -| TPM version | Windows 10 | Windows Server 2016 | -|-------------|-------------|---------------------| -| TPM 1.2 | >= ver 1607 | >= ver 1607 | -| TPM 2.0 | X | X | +| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 | +|-------------|-------------|---------------------|---------------------| +| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes | +| TPM 2.0 | Yes | Yes | Yes | ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index a1818e7654..0b2740ff70 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -8,14 +8,14 @@ ms.sitesec: library ms.pagetype: security author: andreabichsel ms.author: v-anbic -ms.date: 09/11/2018 +ms.date: 10/02/2018 --- # TPM Group Policy settings **Applies to** - Windows 10 -- Windows Server 2016 +- Windows Server 2016 and later This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings. @@ -23,9 +23,7 @@ The Group Policy settings for TPM services are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -The following Group Policy settings were introduced in Window 10. - - +The following Group Policy settings were introduced in Windows 10. ## Configure the level of TPM owner authorization information available to the operating system @@ -128,6 +126,17 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t > - Disable it from group policy > - Clear the TPM on the system +# TPM Group Policy settings in the Windows Security app + +You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at: + +**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security** + +## Disable the Clear TPM button +If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use. + +## Hide the TPM Firmware Update recommendation +If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected. ## Related topics diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md index 1c8b475572..ed7d4a50ad 100644 --- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md @@ -136,4 +136,4 @@ This table includes info about how enlightened apps might behave, based on your
      - + Read what's new in Windows 10
      What's New?
      		-

      UAC has four levels of notification to choose from and a slider to use to select the notification level:

      +

      UAC has a slider to select from four levels of notification.

        -
      • -

        High

        -

        If the slider is set to Always notify, the system checks whether the secure desktop is enabled.

        -
        • -
      • -

        Medium

        -

        If the slider is set to Notify me only when programs try to make changes to my computer, the User Account Control: Only elevate executable files that are signed and validated policy setting is checked:

        +

      • Always notify will:

          -
        • -

          If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.

          -
          • -
        • -

          If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.

          -
          • +
        • Notify you when programs try to install software or make changes to your computer.
          • +
        • Notify you when you make changes to Windows settings.
          • +
        • Freeze other tasks until you respond.
        +

        Recommended if you often install new software or visit unfamiliar websites.


        • -
      • -

        Low

        -

        If the slider is set to Notify me only when apps try to make changes to my computer (do not dim by desktop), the CreateProcess is called.

        -
        • -
      • -

        Never Notify

        -

        If the slider is set to Never notify me when, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.

        -
        Important  

        This setting is not recommended. This setting is the same as setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting to Elevate without prompting.

        -
        -
         
        -
        • +

      • Notify me only when programs try to make changes to my computer will:

        +
          +
        • Notify you when programs try to install software or make changes to your computer.
          • +
        • Not notify you when you make changes to Windows settings.
          • +
        • Freeze other tasks until you respond.
        +

        Recommended if you do not often install apps or visit unfamiliar websites.


        +
        • +

      • Notify me only when programs try to make changes to my computer (do not dim my desktop) will:

        +
          +
        • Notify you when programs try to install software or make changes to your computer.
          • +
        • Not notify you when you make changes to Windows settings.
          • +
        • Not freeze other tasks until you respond.
          • +
        +

        Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.


        +
        • +

      • Never notify (Disable UAC prompts) will:

        +
          +
        • Not notify you when programs try to install software or make changes to your computer.
          • +
        • Not notify you when you make changes to Windows settings.
          • +
        • Not freeze other tasks until you respond.
          • +
        +

        Not recommended due to security concerns.

        +
      >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md index 92e3401948..7c0b4e23ef 100644 --- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -65,86 +65,86 @@ Here are a few examples of responses from the Reporting CSP. #### File ownership on a file is changed from work to personal ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="ProtectionRemoved" TimeStamp="131357166318347527"> - <Policy>Protection removed</Policy> - <Justification>NULL</Justification> - <FilePath>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</FilePath> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + Protection removed + NULL + C:\Users\TestUser\Desktop\tmp\demo\Work document.docx + + + ``` #### A work file is uploaded to a personal webpage in Edge ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357192409318534"> - <Policy>CopyPaste</Policy> - <Justification>NULL</Justification> - <SourceApplicationName>NULL</SourceApplicationName> - <DestinationEnterpriseID>NULL</DestinationEnterpriseID> - <DestinationApplicationName>mail.contoso.com</DestinationApplicationName> - <DataInfo>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</DataInfo> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + CopyPaste + NULL + NULL + NULL + mail.contoso.com + C:\Users\TestUser\Desktop\tmp\demo\Work document.docx + + + ``` #### Work data is pasted into a personal webpage ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357193734179782"> - <Policy>CopyPaste</Policy> - <Justification>NULL</Justification> - <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName> - <DestinationEnterpriseID>NULL</DestinationEnterpriseID> - <DestinationApplicationName>mail.contoso.com</DestinationApplicationName> - <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + CopyPaste + NULL + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000 + NULL + mail.contoso.com + EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink + + + ``` #### A work file is opened with a personal application ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="ApplicationGenerated" TimeStamp="131357194991209469"> - <Policy>NULL</Policy> - <Justification></Justification> - <Object>C:\Users\TestUser\Desktop\tmp\demo\Work document.docx</Object> - <Action>1</Action> - <SourceName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</SourceName> - <DestinationEnterpriseID>Personal</DestinationEnterpriseID> - <DestinationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</DestinationName> - <Application>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2</Application> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + NULL + + C:\Users\TestUser\Desktop\tmp\demo\Work document.docx + 1 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2 + Personal + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2 + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT® WINDOWS® OPERATING SYSTEM\WORDPAD.EXE\10.0.15063.2 + + + ``` #### Work data is pasted into a personal application ``` -110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml<?xml version="1.0" encoding="utf-8"?> -<Reporting Version="com.contoso/2.0/MDM/Reporting"> - <User UserID="S-1-12-1-1111111111-1111111111-1111111111-1111111111" EnterpriseID="corp.contoso.com"> - <Log ProviderType="EDPAudit" LogType="DataCopied" TimeStamp="131357196076537270"> - <Policy>CopyPaste</Policy> - <Justification>NULL</Justification> - <SourceApplicationName>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000</SourceApplicationName> - <DestinationEnterpriseID>NULL</DestinationEnterpriseID> - <DestinationApplicationName></DestinationApplicationName> - <DataInfo>EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink</DataInfo> - </Log> - </User> -</Reporting> +110SyncHdr200212Replace200314Get200414./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logsxml + + + + CopyPaste + NULL + O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\MICROSOFT OFFICE 2016\WINWORD.EXE\16.0.8027.1000 + NULL + + EnterpriseDataProtectionId|Object Descriptor|Rich Text Format|HTML Format|AnsiText|Text|EnhancedMetafile|Embed Source|Link Source|Link Source Descriptor|ObjectLink|Hyperlink + + + ``` ## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only) diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index c554266f44..06c6f03b54 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -70,4 +70,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 990c0c34c4..faaddea437 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -113,7 +113,7 @@ The final step to making your VPN configuration work with WIP, is to link your t >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 7adccd0ac3..addb2e2df0 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.pagetype: security author: justinha ms.author: justinha ms.localizationpriority: medium -ms.date: 08/08/2018 +ms.date: 09/19/2018 --- # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune @@ -32,11 +32,11 @@ Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Follow these steps to add a WIP policy using Intune. **To add a WIP policy** -1. Open Microsoft Intune and click **Mobile apps**. +1. Open Microsoft Intune and click **Client apps**. - ![Open Mobile apps](images/open-mobile-apps.png) + ![Open Client apps](images/open-mobile-apps.png) -2. In **Mobile apps**, click **App protection policies**. +2. In **Client apps**, click **App protection policies**. ![App protection policies](images/app-protection-policies.png) @@ -325,7 +325,7 @@ If you're running into compatibility issues where your app is incompatible with **To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** -1. In **Mobile apps - App protection policies**, click **Exempt apps**. +1. In **Client apps - App protection policies**, click **Exempt apps**. ![Exempt apps](images/exempt-apps.png) @@ -546,4 +546,4 @@ Optionally, if you don’t want everyone in your organization to be able to shar - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md index d75ea228ef..6593dc47a3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -476,4 +476,4 @@ After you've decided where your protected apps can access enterprise data on you - [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md index 5d23640044..1462462e93 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md @@ -50,7 +50,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif The Microsoft Intune Overview blade appears. -2. Click **Mobile apps**, click **App protection policies**, and then click **Add a policy**. +2. Click **Client apps**, click **App protection policies**, and then click **Add a policy**. ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start-mam.png) @@ -71,12 +71,12 @@ After you’ve set up Intune for your organization, you must create a WIP-specif 4. Click **Create**. - The policy is created and appears in the table on the **Mobile apps - App protection policies** blade. + The policy is created and appears in the table on the **Client apps - App protection policies** blade. >[!NOTE] >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. -## Add apps to your Allowed apps list +## Add apps to your Protected apps list During the policy-creation process in Intune, you can choose the apps you want to allow, as well as deny, access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. You can also import a list of approved apps or add exempt apps. @@ -84,19 +84,19 @@ The steps to add your apps are based on the type of template being applied. You In addition, you can create an app deny list related to the policy based on an **action** value. The action can be either **Allow** or **Deny**. When you specify the deny action for an app using the policy, corporate access is denied to the app. >[!Important] ->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation. +>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

      Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Protected apps** list. If you don’t get this statement, it’s possible that you could experience app compatibility issues due to an app losing the ability to access a necessary file after revocation. -### Add a Recommended app to your Allowed apps list -For this example, we’re going to add a few recommended apps to the **Allowed apps** list. +### Add a Recommended app to your Protected apps list +For this example, we’re going to add a few recommended apps to the **Protected apps** list. **To add a recommended app** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png) -2. From the **Allowed apps** blade, click **Add apps**. +2. From the **Protected apps** blade, click **Add apps**. The **Add apps** blade appears, showing you all **Recommended apps**. @@ -104,27 +104,27 @@ For this example, we’re going to add a few recommended apps to the **Allowed a 3. Select each app you want to access your enterprise data, and then click **OK**. - The **Allowed apps** blade updates to show you your selected apps. + The **Protected apps** blade updates to show you your selected apps. - ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) + ![Microsoft Intune management console: Protected apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) -4. Click **Save** to save the **Allowed apps** list to your policy. +4. Click **Save** to save the **Protected apps** list to your policy. -### Add a Store app to your Allowed apps list -For this example, we’re going to add Microsoft Power BI, a Windows store app, to the **Allowed apps** list. +### Add a Store app to your Protected apps list +For this example, we’re going to add Microsoft Power BI, a Windows store app, to the **Protected apps** list. **To add a Store app** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. -2. From the **Allowed apps** blade, click **Add apps**. +2. From the **Protected apps** blade, click **Add apps**. 3. On the **Add apps** blade, click **Store apps** from the dropdown list. 4. Type the friendly name of the app, the publisher info, and the product name. For this example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.MicrosoftPowerBIForWindows`. -5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy. +5. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. >[!NOTE] >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and continue to add more apps. When you’re done, click **OK**. @@ -180,15 +180,15 @@ If you don't know the publisher or product name for your Store app, you can find >The JSON file might also return a windowsPhoneLegacyId value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as windowsPhoneLegacyId, and set the **Publisher Name** as CN= followed by the windowsPhoneLegacyId.

      For example:
      {
      "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
      }       -### Add a Desktop app to your Allowed apps list -For this example, we’re going to add WordPad, a Desktop app, to the **Allowed apps** list. +### Add a Desktop app to your Protected apps list +For this example, we’re going to add WordPad, a Desktop app, to the **Protected apps** list. **To add a Desktop app** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Protected apps** from the menu that appears. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Protected apps** blade appears, showing you any apps that are already included in the list for this policy. -2. From the **Allowed apps** blade, click **Add apps**. +2. From the **Protected apps** blade, click **Add apps**. 3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. @@ -233,7 +233,7 @@ For this example, we’re going to add WordPad, a Desktop app, to the **Allowed -4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list, and then click **Save** to save the **Allowed apps** list to your policy. +4. After you’ve entered the info into the fields, click **OK** to add the app to your **Protected apps** list, and then click **Save** to save the **Protected apps** list to your policy. >[!Note] >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. @@ -257,10 +257,10 @@ Path Publisher ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. -### Import a list of apps to your Allowed apps list -For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. +### Import a list of apps to your Protected apps list +For this example, we’re going to add an AppLocker XML file to the **Protected apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. -**To create a list of Allowed apps using the AppLocker tool** +**To create a list of Protected apps using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). @@ -334,9 +334,9 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. -**To import your list of Allowed apps using Microsoft Intune** +**To import your list of Protected apps using Microsoft Intune** -1. From the **Allowed apps** area, click **Import apps**. +1. From the **Protected apps** area, click **Import apps**. The blade changes to let you add your import file. @@ -349,7 +349,7 @@ For this example, we’re going to add an AppLocker XML file to the **Allowed ap ### Add exempt apps to your policy If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. -**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** +**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Protected apps list** 1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears. @@ -361,13 +361,13 @@ If you're running into compatibility issues where your app is incompatible with 3. Fill out the rest of the app info, based on the type of app you’re adding: - - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. + - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Protected apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. - - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. + - **Store app.** Follow the instructions in the [Add a Store app to your Protected apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. - - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. + - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Protected apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. - - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. + - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Protected apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. 4. Click **OK**. @@ -384,7 +384,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi **To add your protection mode** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -406,7 +406,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor **To change your corporate identity** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Required settings** from the menu that appears. The **Required settings** blade appears. @@ -427,7 +427,7 @@ Intune will add SharePoint sites that are discovered through the Graph API. You **To define where your allowed apps can find and send enterprise data on you network** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -501,7 +501,7 @@ After you create and deploy your WIP policy to your employees, Windows begins to >Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) topic. **To upload your DRA certificate** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -514,7 +514,7 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -572,7 +572,7 @@ You can turn on Windows Hello for Business, letting your employees use it as a s **To turn on and configure Windows Hello for Business** -1. From the **Mobile apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. +1. From the **Client apps - App protection policies** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. The **Advanced settings** blade appears. @@ -636,7 +636,7 @@ After you’ve created your policy, you'll need to deploy it to your employees. **To deploy your policy** -1. On the **Mobile apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**. +1. On the **Client apps - App protection policies** pane, click your newly-created policy, click **Assignments** from the menu that appears, and then click **Select groups**. A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index d686c6df22..3ff66496cf 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 09/11/2017 +ms.date: 10/15/2018 --- # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune @@ -22,19 +22,17 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll **To deploy your WIP policy** -1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. - - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. +1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy. 2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. - The policy is deployed to the selected users' devices. + The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 26b5ff9472..6d41dd0d2a 100644 --- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -35,7 +35,7 @@ The added people move to the **Selected Groups** list on the right-hand pane. The policy is deployed to the selected users' devices. >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index e91d6c96e7..52503527a1 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.localizationpriority: medium -ms.date: 05/30/2018 +ms.date: 10/11/2018 --- # List of enlightened Microsoft apps for use with Windows Information Protection (WIP) @@ -32,7 +32,7 @@ Apps can be enlightened or unenlightened: - Windows **Save As** experiences only allow you to save your files as enterprise. -- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions. +- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. ## List of enlightened Microsoft apps Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following: @@ -82,7 +82,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li |PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Office.PowerPoint
      **App Type:** Universal app | |OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Office.OneNote
      **App Type:** Universal app | |Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** microsoft.windowscommunicationsapps
      **App Type:** Universal app | -|Office 365 ProPlus|Office 365 ProPlus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
      We don't recommend setting up Office by using individual paths or publisher rules.| +|Office 365 ProPlus and Office 2019 Professional Plus |Office 365 ProPlus and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
      We don't recommend setting up Office by using individual paths or publisher rules.| |Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.Windows.Photos
      **App Type:** Universal app | |Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.ZuneMusic
      **App Type:** Universal app | |Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
      **Product Name:** Microsoft.ZuneVideo
      **App Type:** Universal app | @@ -97,4 +97,4 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md index 8e0e18f98a..f02c43a630 100644 --- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -29,4 +29,4 @@ This section includes info about the enlightened Microsoft apps, including how t |[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). | >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md new file mode 100644 index 0000000000..b1005f382d --- /dev/null +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -0,0 +1,90 @@ +--- +title: How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10) +description: Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. +keywords: sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.localizationpriority: medium +ms.date: 11/28/2018 +--- + +# How Windows Information Protection protects files with a sensitivity label + +**Applies to:** + +- Windows 10, version 1809 + +This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. +Microsoft information protection technologies work together as an integrated solution to help enterprises: + +- Discover corporate data on endpoint devices +- Classify and label information based on its content and context +- Protect corporate data from unintentionally leaving to non-business environments +- Enable audit reports of user interactions with corporate data on endpoint devices + +Microsoft information protection technologies include: + +- [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP. + +- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps. + +- [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services. + +End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: + +![Sensitivity labels](images/sensitivity-labels.png) + +## Default WIP behaviors for a sensitivity label + +Enterprises can create and manage sensitivity labels on the **Labels** page in the Office 365 Security & Compliance Center. +When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. +WIP enforces default endpoint protection depending on how the sensitivity label is configured: + +- When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label +- When the sensitivity label is *not configured* for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM): + - If the document is downloaded from a work site, the device enforces work protection + - If the document is downloaded from a personal site, no work protection is applied + +For more information about labels, see [Overview of labels](https://docs.microsoft.com/office365/securitycompliance/labels). + +## Use cases + +This section covers how WIP works with sensitivity labels in specific use cases. + +### User downloads from or creates a document on a work site + +If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regradless of whether the document has a sensitivity label. + +If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. + +### User downloads a confidential Office or PDF document from a personal site + +Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. +If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. +For example: + +1. Sara creates a PDF file on a Mac and labels it as **Confidential**. +2. She emails the PDF from her Gmail account to Laura. +3. Laura opens the PDF file on her Windows 10 device. +4. WIP policy gets applied and the file is protected. + +The PDF file doesn't need any work context beyond the sensitivity label. + +## Prerequisites + +- Windows 10, version 1809 +- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection +- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md). + + + + + + + + + diff --git a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png index cf48ea50fc..12d4f6eefd 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png and b/windows/security/information-protection/windows-information-protection/images/access-wip-learning-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png index ccc701332b..57c40a85d0 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png new file mode 100644 index 0000000000..89a133bcbe Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-labels.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png index 08afdf96b5..f453431070 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png and b/windows/security/information-protection/windows-information-protection/images/wip-azure-add-user-groups.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png index e0dc52bd86..fdbc950c9e 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png and b/windows/security/information-protection/windows-information-protection/images/wip-in-oms-console-link.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png index 4f5a81b9a2..926a3c4473 100644 Binary files a/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png and b/windows/security/information-protection/windows-information-protection/images/wip-learning-select-report.png differ diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 9dce29791b..2c82639fdb 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security author: justinha ms.author: justinha -ms.date: 05/30/2018 +ms.date: 12/18/2018 ms.localizationpriority: medium --- @@ -104,7 +104,7 @@ This table provides info about the most common problems you might encounter whil
    • SavedGames
    - WIP isn’t turned on for employees in your organization. + WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using System Center Configuration Manager. Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.

    If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index accb65ae90..4005e8742f 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -1,7 +1,7 @@ --- title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise. -keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Allowed apps list +keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| -|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.| +|Add at least one app to the **Protected apps** list in your WIP policy.|You must have at least one app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics.| |Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

    Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| @@ -33,4 +33,4 @@ This list provides all of the tasks and settings that are required for the opera >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 6ebcf8b468..33ec5598fe 100644 --- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 06/18/2018 +ms.date: 11/08/2018 ms.localizationpriority: medium --- @@ -24,6 +24,10 @@ With the increase of employee-owned devices in the enterprise, there’s also an Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client. +## Video: Protect enterprise data from being accidentally copied to the wrong place + +> [!Video https://www.microsoft.com/en-us/videoplayer/embed/RE2IGhh] + ## Prerequisites You’ll need this software to run WIP in your enterprise: @@ -77,7 +81,7 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. @@ -147,4 +151,4 @@ After deciding to use WIP in your enterprise, you need to: >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index d9b56f7ad3..e352e66a52 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security ms.author: justinha -ms.date: 05/30/2018 +ms.date: 10/18/2018 ms.localizationpriority: medium --- @@ -20,7 +20,7 @@ ms.localizationpriority: medium >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). +We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically. ## Recommended Enterprise Cloud Resources This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index f9318f3384..fda5027ad2 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -170,4 +170,4 @@ You can try any of the processes included in these scenarios, but you should foc >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 7225edb78c..8bb9b2c5d5 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -1,101 +1,100 @@ ---- -title: -# Fine-tune Windows Information Policy (WIP) with WIP Learning -description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. -ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning -ms.prod: w10 -ms.mktglfcycl: -ms.sitesec: library -ms.pagetype: security -author: coreyp-at-msft -ms.localizationpriority: medium -ms.date: 08/08/2018 ---- - -# Fine-tune Windows Information Protection (WIP) with WIP Learning -**Applies to:** - -- Windows 10, version 1703 and later -- Windows 10 Mobile, version 1703 and later - -With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). - -The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. - -In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. - -## Access the WIP Learning reports - -1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter. - -2. Choose **Intune** > **Mobile Apps**. - -3. Choose **App protection status**. - -4. Choose **Reports**. - - ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) - -5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. - - ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) - -Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS). - -## View the WIP app learning report in Microsoft Operations Management Suite - -From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events: - -![View in Intune of the link to OMS](images/wip-in-oms-console-link.png) - -If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. - ->[!NOTE] ->Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention. - -Once you have WIP policies in place, by using the WIP section of Device Health, you can: - -- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. -- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. - -![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png) - -The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs. - -![Details view](images/WIPNEW1-chart-selected-sterile.png) - -In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy: - -![Details view for a specific app](images/WIPappID-sterile.png) - -Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies. - -## Use OMS and Intune to adjust WIP protection policy - -1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy. - -2. Click the app you want to add to your policy and copy the publisher information from the app details screen. - -3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to. - -4. Click **Protected apps**, and then click **Add Apps**. - -5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). - - ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) - -6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above. - - ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) - -7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). - -8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required). - -9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** - -When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) - ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +--- +title: +# Fine-tune Windows Information Policy (WIP) with WIP Learning +description: How to access the WIP Learning report to monitor and apply Windows Information Protection in your company. +ms.assetid: 53db29d2-d99d-4db6-b494-90e2b4872ca2 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP Learning +ms.prod: w10 +ms.mktglfcycl: +ms.sitesec: library +ms.pagetype: security +author: justinha +ms.author: justinha +ms.localizationpriority: medium +ms.date: 10/15/2018 +--- + +# Fine-tune Windows Information Protection (WIP) with WIP Learning +**Applies to:** + +- Windows 10, version 1703 and later +- Windows 10 Mobile, version 1703 and later + +With WIP Learning, you can intelligently tune which apps and websites are included in your WIP policy to help reduce disruptive prompts and keep it accurate and relevant. WIP Learning generates two reports: The **App learning report** and the **Website learning report**. Both reports are accessed from Microsoft Azure Intune, and you can alternately access the App learning report from Microsoft Operations Management Suite (OMS). + +The **App learning report** monitors your apps, not in policy, that attempt to access work data. You can identify these apps using the report and add them to your WIP policies to avoid productivity disruption before fully enforcing WIP with [“Block”](protect-enterprise-data-using-wip.md#bkmk-modes) mode. Frequent monitoring of the report will help you continuously identify access attempts so you can update your policy accordingly. + +In the **Website learning report**, you can view a summary of the devices that have shared work data with websites. You can use this information to determine which websites should be added to group and user WIP policies. The summary shows which website URLs are accessed by WIP-enabled apps so you can decide which ones are cloud or personal, and add them to the resource list. + +## Access the WIP Learning reports + +1. Open the [Azure portal](http://portal.azure.com/). + +1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**. + +1. Click **Intune** > **Client apps** > **App protection status** > **Reports**. + + ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) + +1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. + + ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) + +Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS). + +## View the WIP app learning report in Microsoft Operations Management Suite + +From Intune, you can open OMS by choosing **WIP in the OMS console**. Then you can view the WIP App learning blade to monitor access events per app, and devices that have reported WIP access events: + +![View in Intune of the link to OMS](images/wip-in-oms-console-link.png) + +If you don't have OMS linked to your Microsoft Azure Account, and want to configure your environment for Windows Analytics: Device Health, see [Get Started with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-get-started) for more information. + +>[!NOTE] +>Intune has a 14 day data retention capacity, while OMS offers better querying capabilities and longer data retention. + +Once you have WIP policies in place, by using the WIP section of Device Health, you can: + +- Reduce disruptive prompts by adding rules to allow data sharing from approved apps. +- Tune WIP rules by confirming that certain apps are allowed or denied by current policy. + +![Main Windows Information Protection view](images/oms-wip-app-learning-tile.png) + +The **APP LEARNING** tile shows details of app statistics that you can use to evaluate each incident and update app policies by using WIP AppIDs. + +![Details view](images/WIPNEW1-chart-selected-sterile.png) + +In this chart view, you can see apps that have been used on connected devices which, when clicked on, will open additional details on the app, including details you need to adjust your WIP Policy: + +![Details view for a specific app](images/WIPappID-sterile.png) + +Here, you can copy the **WipAppid** and use it to adjust your WIP protection policies. + +## Use OMS and Intune to adjust WIP protection policy + +1. Click the **APP LEARNING** tile in OMS, as described above, to determine which apps are being used for work so you can add those you choose to your WIP policy. + +2. Click the app you want to add to your policy and copy the publisher information from the app details screen. + +3. Back in Intune, click **App protection policies** and then choose the app policy you want to add an application to. + +4. Click **Protected apps**, and then click **Add Apps**. + +5. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). + + ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png) + +6. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 2 above. + + ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) + +7. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). + +8. Back in OMS, copy the name of the executable (for example, snippingtool.exe) and then go back to Intune and paste it in **FILE** (required). + +9. Go back to OMS one more time and note the version number of the app and type it in **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** + +When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 2d5f0c92fd..d1c214ecbe 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -6,6 +6,7 @@ #### [Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md) ##### [Hardware-based isolation](windows-defender-atp/overview-hardware-based-isolation.md) ###### [Application isolation](windows-defender-application-guard/wd-app-guard-overview.md) +####### [System requirements](windows-defender-application-guard/reqs-wd-app-guard.md) ###### [System isolation](windows-defender-atp/how-hardware-based-containers-help-protect-windows.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) ##### [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) @@ -17,6 +18,12 @@ #### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md) ##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md) +##### [Incidents queue](windows-defender-atp/incidents-queue.md) +###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md) +###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md) +###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md) + + ##### Alerts queue ###### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) @@ -30,7 +37,7 @@ ##### Machines list ###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md) -###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) +###### [Manage machine group and tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md) ###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) ###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) ####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) @@ -75,74 +82,17 @@ ##### [Custom detections](windows-defender-atp/overview-custom-detections.md) ###### [Create custom detections rules](windows-defender-atp/custom-detection-rules.md) + #### [Management and APIs](windows-defender-atp/management-apis.md) ##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) -######Actor -####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) -####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -######Alerts -####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) -####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -#######Domain -######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) -######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) -######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -######File -####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) -####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) -####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) -####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) -####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) - -######IP -####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) -####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) -######Machines -####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) -####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) -####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) -####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) -####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) -####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) -####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) -####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) -####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) -####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) -####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) -####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) - -######User -####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) -####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) - - -##### [Managed service provider provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) +##### [Windows Defender ATP APIs](windows-defender-atp/apis-intro.md) +##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md) #### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md) ##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) ##### [Microsoft Cloud App Security integration overview](windows-defender-atp/microsoft-cloud-app-security-integration.md) +##### [Information protection in Windows overview](windows-defender-atp/information-protection-in-windows-overview.md) @@ -173,12 +123,14 @@ ### [Configure and manage capabilities](windows-defender-atp/onboard.md) #### [Configure attack surface reduction](windows-defender-atp/configure-attack-surface-reduction.md) ##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md) -###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md) +###### [Configuration settings](windows-defender-application-guard/configure-wd-app-guard.md) ##### [Application control](windows-defender-application-control/windows-defender-application-control.md) -##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) -####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +##### Device control +###### [Control USB devices](device-control/control-usb-devices-using-intune.md) +###### [Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +####### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md) +######## [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +######## [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) ##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md) ###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md) ###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) @@ -277,6 +229,153 @@ ###### [Troubleshoot onboarding issues](windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ####### [Troubleshoot subscription and portal access issues](windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) +##### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/use-apis.md) +###### Create your app +####### [Get access on behalf of a user](windows-defender-atp/exposed-apis-create-app-nativeapp.md) +####### [Get access without a user](windows-defender-atp/exposed-apis-create-app-webapp.md) +###### [Supported Windows Defender ATP APIs](windows-defender-atp/exposed-apis-list.md) +####### [Advanced Hunting](windows-defender-atp/run-advanced-query-api.md) + +####### [Alert](windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md) +######## [List alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Create alert](windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +######## [Update Alert](windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md) +######## [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related domains information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related IPs information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +######## [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +####### Domain +######## [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +####### [File](windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md) +######## [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md) +######## [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +####### IP +######## [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +######## [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +####### [Machine](windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md) +######## [List machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md) +######## [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +######## [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +######## [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Add or Remove machine tags](windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +######## [Find machines by IP](windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + + +####### [Machine Action](windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md) +######## [List Machine Actions](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +######## [Get Machine Action](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +######## [Collect investigation package](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +######## [Get investigation package SAS URI](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +######## [Isolate machine](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Release machine from isolation](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md) +######## [Restrict app execution](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Remove app restriction](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +######## [Run antivirus scan](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md) +######## [Offboard machine](windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +######## [Stop and quarantine file](windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) + +####### [User](windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md) +######## [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +######## [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + + +###### How to use APIs - Samples +####### Advanced Hunting API +######## [Schedule advanced Hunting using Microsoft Flow](windows-defender-atp/run-advanced-query-sample-ms-flow.md) +######## [Advanced Hunting using PowerShell](windows-defender-atp/run-advanced-query-sample-powershell.md) +######## [Advanced Hunting using Python](windows-defender-atp/run-advanced-query-sample-python.md) +######## [Create custom Power BI reports](windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md) +####### Multiple APIs +######## [PowerShell](windows-defender-atp/exposed-apis-full-sample-powershell.md) +####### [Using OData Queries](windows-defender-atp/exposed-apis-odata-samples.md) + +##### [Use the Windows Defender ATP exposed APIs (deprecated)](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) +###### [Supported Windows Defender ATP APIs (deprecated)](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md) +#######Actor (deprecated) +######## [Get actor information (deprecated)](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md) +######## [Get actor related alerts (deprecated)](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +#######Alerts (deprecated) +######## [Get alerts (deprecated)](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md) +######## [Get alert information by ID (deprecated)](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +######## [Get alert related actor information (deprecated)](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related domain information (deprecated)](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related file information (deprecated)](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related IP information (deprecated)](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +######## [Get alert related machine information (deprecated)](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +#######Domain (deprecated) +######## [Get domain related alerts (deprecated)](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get domain related machines (deprecated)](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get domain statistics (deprecated)](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md) +######## [Is domain seen in organization (deprecated)](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +#######File(deprecated) +######## [Block file (deprecated)](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md) +######## [Get file information (deprecated)](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md) +######## [Get file related alerts (deprecated)](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get file related machines (deprecated)](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get file statistics (deprecated)](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md) +######## [Get FileActions collection (deprecated)](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md) +######## [Unblock file (deprecated)](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md) + +#######IP (deprecated) +######## [Get IP related alerts (deprecated)](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get IP related machines (deprecated)](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md) +######## [Get IP statistics (deprecated)](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md) +######## [Is IP seen in organization (deprecated)](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md) +#######Machines (deprecated) +######## [Collect investigation package (deprecated)](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md) +######## [Find machine information by IP (deprecated)](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineAction object (deprecated)](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get FileMachineActions collection (deprecated)](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machine by ID (deprecated)](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md) +######## [Get machine log on users (deprecated)](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +######## [Get machine related alerts (deprecated)](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get MachineAction object (deprecated)](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md) +######## [Get MachineActions collection (deprecated)](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md) +######## [Get machines (deprecated)](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md) +######## [Get package SAS URI (deprecated)](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md) +######## [Isolate machine (deprecated)](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md) +######## [Release machine from isolation (deprecated)](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md) +######## [Remove app restriction (deprecated)](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Request sample (deprecated)](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md) +######## [Restrict app execution (deprecated)](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md) +######## [Run antivirus scan (deprecated)](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md) +######## [Stop and quarantine file (deprecated)](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +#######User (deprecated) +######## [Get alert related user information (deprecated)](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +######## [Get user information (deprecated)](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md) +######## [Get user related alerts (deprecated)](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md) +######## [Get user related machines (deprecated)](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md) + + +#####Windows updates (KB) info +###### [Get KbInfo collection](windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md) +#####Common Vulnerabilities and Exposures (CVE) to KB map +###### [Get CVE-KB map](windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md) + + + + + + + + + ##### API for custom alerts ###### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md) ###### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md) @@ -313,6 +412,7 @@ #### Configure Microsoft threat protection integration ##### [Configure conditional access](windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md) ##### [Configure Microsoft Cloud App Security integration](windows-defender-atp/microsoft-cloud-app-security-config.md) +##### [Configure information protection in Windows](windows-defender-atp/information-protection-in-windows-config.md) @@ -372,6 +472,7 @@ #### [Malware names](intelligence/malware-naming.md) #### [Coin miners](intelligence/coinminer-malware.md) #### [Exploits and exploit kits](intelligence/exploits-malware.md) +#### [Fileless threats](intelligence/fileless-threats.md) #### [Macro malware](intelligence/macro-malware.md) #### [Phishing](intelligence/phishing.md) #### [Ransomware](intelligence/ransomware-malware.md) @@ -384,6 +485,7 @@ ### [How Microsoft identifies malware and PUA](intelligence/criteria.md) ### [Submit files for analysis](intelligence/submission-guide.md) ### [Safety Scanner download](intelligence/safety-scanner-download.md) +### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md) ### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md) #### [Virus information alliance](intelligence/virus-information-alliance-criteria.md) #### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md) @@ -392,6 +494,12 @@ #### [Software developer FAQ](intelligence/developer-faq.md) #### [Software developer resources](intelligence/developer-resources.md) +## Windows Certifications + +### [FIPS 140 Validations](fips-140-validation.md) +### [Common Criteria Certifications](windows-platform-common-criteria.md) + + ## More Windows 10 security ### [The Windows Security app](windows-defender-security-center/windows-defender-security-center.md) @@ -414,6 +522,8 @@ ### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +### [Use attack surface reduction rules in Windows 10 Enterprise E3](windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md) + ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) @@ -447,6 +557,7 @@ ##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md) ##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md) ###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md) +###### [How to list XML elements in ](auditing/how-to-list-xml-elements-in-eventdata.md) ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md) @@ -485,7 +596,7 @@ ####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md) ####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md) ###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md) -####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md) +####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md) ####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md) ###### [Audit Security Group Management](auditing/audit-security-group-management.md) ####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md) @@ -959,14 +1070,12 @@ ###### [Take ownership of files or other objects](security-policy-settings/take-ownership-of-files-or-other-objects.md) - - - - ### [Windows security baselines](windows-security-baselines.md) #### [Security Compliance Toolkit](security-compliance-toolkit-10.md) #### [Get support](get-support-for-security-baselines.md) +### [MBSA removal and alternatives](mbsa-removal-and-guidance.md) + ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ## [Change history for Threat protection](change-history-for-threat-protection.md) diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 5fdb1739c0..f9a028c36e 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md index 00ef9a3f98..80aac0ab42 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md index 8601d26ede..95b7643f60 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing.md +++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index 7e40077bc3..454c14422b 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index e84f020843..8b1f8421eb 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 07/25/2018 --- diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md index 1e4cf0bc0a..9cb1d5053c 100644 --- a/windows/security/threat-protection/auditing/audit-account-lockout.md +++ b/windows/security/threat-protection/auditing/audit-account-lockout.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 07/16/2018 --- diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md index dc4a17983a..10fcf365b8 100644 --- a/windows/security/threat-protection/auditing/audit-application-generated.md +++ b/windows/security/threat-protection/auditing/audit-application-generated.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,15 +18,15 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx). +Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx). -Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. +Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. | -| Member Server | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. | -| Workstation | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. | +| Domain Controller | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. | +| Member Server | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. | +| Workstation | IF | IF | IF | IF | IF – if you use [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/library/cc770563.aspx), enable this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md index 54a24aeabd..54f30393c1 100644 --- a/windows/security/threat-protection/auditing/audit-application-group-management.md +++ b/windows/security/threat-protection/auditing/audit-application-group-management.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,11 +18,11 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions. +Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions. -[Application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx). +[Application groups](https://technet.microsoft.com/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx). -Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. +Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------| diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md index 1adb598a89..46038a5e5c 100644 --- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -40,9 +40,9 @@ Changes to audit policy that are audited include: - Changing the value of CrashOnAuditFail. -- Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key). +- Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key). -> **Note**  [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. +> **Note**  [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change. - Changing anything in the Special Groups list. diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md index e09948e6a9..9c4f4f01b9 100644 --- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md index ec84ce1cdf..d2a34b5e82 100644 --- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md index f06923aec9..7248f8b951 100644 --- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md +++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -32,9 +32,9 @@ If you configure this policy setting, an audit event is generated each time a us | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | -| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/library/hh831425.aspx).
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/library/hh831425.aspx).
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/library/hh831425.aspx).
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md index db60342744..109237d268 100644 --- a/windows/security/threat-protection/auditing/audit-certification-services.md +++ b/windows/security/threat-protection/auditing/audit-certification-services.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -52,9 +52,9 @@ Role-specific subcategories are outside the scope of this document. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | -| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | -| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. | +| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | +| Member Server | IF | IF | IF | IF | IF – if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. | +| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. | ## 4868: The certificate manager denied a pending certificate request. diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md index 5b3570b704..9ba95826d4 100644 --- a/windows/security/threat-protection/auditing/audit-computer-account-management.md +++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md index 9f9d0cb8f4..1053fc3b3e 100644 --- a/windows/security/threat-protection/auditing/audit-credential-validation.md +++ b/windows/security/threat-protection/auditing/audit-credential-validation.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md index 0f25203d5d..c20e709c3f 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md index 90ea83f0c5..512ffb1d82 100644 --- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md +++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md index 76de4e61d1..f0d54b7e51 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -26,7 +26,7 @@ This subcategory allows you to audit when an Active Directory Domain Services (A | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
    For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. | +| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesn’t give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.
    For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index d7120d4c5c..a668880442 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -22,7 +22,7 @@ Audit Directory Service Changes determines whether the operating system generate Auditing of directory service objects can provide information about the old and new properties of the objects that were changed. -Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. +Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. This subcategory only logs events on domain controllers. @@ -32,7 +32,7 @@ This subcategory triggers events when an Active Directory object was modified, c | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects.
    This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
    For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects.
    This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.
    For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. | | Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. | diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md index 3271a1b5fb..41ced142b1 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md index 1d9c77ad06..88a2692952 100644 --- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md +++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md index 4b03a1f4a7..86b22ef36d 100644 --- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md +++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)). +Audit [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/library/ms995355.aspx)). **Event volume**: Low. diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md index 4501f8e8f7..6664fafb8d 100644 --- a/windows/security/threat-protection/auditing/audit-file-share.md +++ b/windows/security/threat-protection/auditing/audit-file-share.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md index 3195fd4e72..57d6cee236 100644 --- a/windows/security/threat-protection/auditing/audit-file-system.md +++ b/windows/security/threat-protection/auditing/audit-file-system.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -20,15 +20,15 @@ ms.date: 04/19/2017 Audit File System determines whether the operating system generates audit events when users attempt to access file system objects. -Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). +Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx). If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring. -**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured. +**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured. -No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. +No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s. This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions. @@ -36,7 +36,7 @@ Only one event, “[4658](event-4658.md): The handle to an object was closed,” | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
    Failure events can show you unsuccessful attempts to access specific file system objects.
    Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. | +| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
    Failure events can show you unsuccessful attempts to access specific file system objects.
    Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. | | Member Server | IF | IF | IF | IF | | | Workstation | IF | IF | IF | IF | | diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md index 9160d63777..611e14619a 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx). +Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx). Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index 15e570608f..3aeb8b5e37 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx). +Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx). Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md index cd4c887700..bcfe72948a 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following: +Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following: - IPsec services status. diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md index 2c77196a27..c503247f64 100644 --- a/windows/security/threat-protection/auditing/audit-group-membership.md +++ b/windows/security/threat-protection/auditing/audit-group-membership.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md index b0c1442c91..032486cabe 100644 --- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md +++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md index 1907464fec..1fb88b5fd4 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md @@ -6,9 +6,9 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Driver @@ -56,7 +56,7 @@ This subcategory is outside the scope of this document. ## 5478(S): IPsec Services has started successfully. -## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. +## 5479(S): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. ## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md index 41835f6b58..e9388ef13f 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md @@ -6,9 +6,9 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Extended Mode @@ -28,17 +28,17 @@ Audit IPsec Extended Mode subcategory is out of scope of this document, because | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. | -## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. +## 4978(S): During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -## 4979: IPsec Main Mode and Extended Mode security associations were established. +## 4979(S): IPsec Main Mode and Extended Mode security associations were established. -## 4980: IPsec Main Mode and Extended Mode security associations were established. +## 4980(S): IPsec Main Mode and Extended Mode security associations were established. -## 4981: IPsec Main Mode and Extended Mode security associations were established. +## 4981(S): IPsec Main Mode and Extended Mode security associations were established. -## 4982: IPsec Main Mode and Extended Mode security associations were established. +## 4982(S): IPsec Main Mode and Extended Mode security associations were established. -## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. +## 4983(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. -## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. +## 4984(S): An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md index af0f1a911e..1a34ba32f3 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md @@ -6,9 +6,9 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Main Mode @@ -28,21 +28,21 @@ Audit IPsec Main Mode subcategory is out of scope of this document, because this | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. | -## 4646: Security ID: %1 +## 4646(S): Security ID: %1 -## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. +## 4650(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. -## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. +## 4651(S): An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. -## 4652: An IPsec Main Mode negotiation failed. +## 4652(F): An IPsec Main Mode negotiation failed. -## 4653: An IPsec Main Mode negotiation failed. +## 4653(F): An IPsec Main Mode negotiation failed. -## 4655: An IPsec Main Mode security association ended. +## 4655(S): An IPsec Main Mode security association ended. -## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. +## 4976(S): During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -## 5049: An IPsec Security Association was deleted. +## 5049(S): An IPsec Security Association was deleted. -## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. +## 5453(S): An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md index 3931177329..40aabcd719 100644 --- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md +++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md @@ -6,9 +6,9 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 10/02/2018 --- # Audit IPsec Quick Mode @@ -28,9 +28,9 @@ Audit IPsec Quick Mode subcategory is out of scope of this document, because thi | Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | | Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. | -## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. +## 4977(S): During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. -## 5451: An IPsec Quick Mode security association was established. +## 5451(S): An IPsec Quick Mode security association was established. -## 5452: An IPsec Quick Mode security association ended. +## 5452(S): An IPsec Quick Mode security association ended. diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md index c27b4bdf2d..fa45372c3e 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md index f8827a3cf1..555286d0f5 100644 --- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md +++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md index d61d5386f0..4ee34b9790 100644 --- a/windows/security/threat-protection/auditing/audit-kernel-object.md +++ b/windows/security/threat-protection/auditing/audit-kernel-object.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -20,11 +20,11 @@ ms.date: 04/19/2017 Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. -Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers. +Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers. Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled. -The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/en-us/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects. +The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects. **Event volume**: High. diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md index 347351c797..521a5e8e0f 100644 --- a/windows/security/threat-protection/auditing/audit-logoff.md +++ b/windows/security/threat-protection/auditing/audit-logoff.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 07/16/2018 --- diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md index e57df86b17..4b4cc2f5de 100644 --- a/windows/security/threat-protection/auditing/audit-logon.md +++ b/windows/security/threat-protection/auditing/audit-logon.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md index 8d79ebdaaa..f3bb9e035a 100644 --- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md +++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md index 4cd445c0e1..5f50082169 100644 --- a/windows/security/threat-protection/auditing/audit-network-policy-server.md +++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -26,15 +26,15 @@ This subcategory generates events only if NAS or IAS role is installed on the se NAP events can be used to help understand the overall health of the network. -**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS). +**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS). Role-specific subcategories are outside the scope of this document. | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | -| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | -| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role cannot be installed on client OS. | +| Domain Controller | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | +| Member Server | IF | IF | IF | IF | IF – if a server has the [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. | +| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/library/cc732912.aspx) (NPS) role cannot be installed on client OS. | ## 6272: Network Policy Server granted access to a user. diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md index 29a2bf062c..9f0a2a2a2f 100644 --- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index 212599c38d..8a13f5aac2 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md index 0dada7cc0f..2118e8090b 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -30,13 +30,13 @@ This subcategory allows you to audit next events: | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | +| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance.
    This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | **Events List:** -- [4782](event-4782.md)(S): The password hash an account was accessed. +- [4782](event-4782.md)(S): The password hash of an account was accessed. - [4793](event-4793.md)(S): The Password Policy Checking API was called. diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md index d1c84998ab..1be1e370f1 100644 --- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md +++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -40,9 +40,9 @@ Logon events are essential to understanding user activity and detecting potentia | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
    Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | -| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
    Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | -| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
    Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
    Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | +| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
    Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | +| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.
    Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md index a100b7f4f4..199192018a 100644 --- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md +++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 05/29/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md index 3e9078765c..08d287a0cb 100644 --- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md +++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index a494cdd7b4..45be00eab8 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md index a9e385b322..e70d6e2681 100644 --- a/windows/security/threat-protection/auditing/audit-other-system-events.md +++ b/windows/security/threat-protection/auditing/audit-other-system-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md index 08dd852a74..51f7778df1 100644 --- a/windows/security/threat-protection/auditing/audit-pnp-activity.md +++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 65d9725fb1..39e53664c4 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md index ff6e0c7eb7..d1a88331d5 100644 --- a/windows/security/threat-protection/auditing/audit-process-termination.md +++ b/windows/security/threat-protection/auditing/audit-process-termination.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index 463a01e1f6..7454355c57 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. +Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL. @@ -26,7 +26,7 @@ If success auditing is enabled, an audit entry is generated each time any accoun | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
    Failure events can show you unsuccessful attempts to access specific registry objects.
    Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. | +| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.
    Failure events can show you unsuccessful attempts to access specific registry objects.
    Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. | | Member Server | IF | IF | IF | IF | | | Workstation | IF | IF | IF | IF | | diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index d4abe3507f..3e4c82578c 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). +Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx). | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md index a091eac795..584b5fb9ff 100644 --- a/windows/security/threat-protection/auditing/audit-rpc-events.md +++ b/windows/security/threat-protection/auditing/audit-rpc-events.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md index dc8b55abd1..57071fda29 100644 --- a/windows/security/threat-protection/auditing/audit-sam.md +++ b/windows/security/threat-protection/auditing/audit-sam.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -18,7 +18,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx)) objects. +Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx)) objects. The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. @@ -36,19 +36,19 @@ The Security Account Manager (SAM) is a database that is present on computers ru If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts. -Only a [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) for SAM\_SERVER can be modified. +Only a [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) for SAM\_SERVER can be modified. Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events. **Event volume**: High on domain controllers. -For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/en-us/kb/841001). +For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/kb/841001). | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. | -| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. | -| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. | +| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx) level. | +| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx) level. | +| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx) level. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index 2e14934b51..7ce77ac37a 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md index 29afe92c74..127b34b44a 100644 --- a/windows/security/threat-protection/auditing/audit-security-state-change.md +++ b/windows/security/threat-protection/auditing/audit-security-state-change.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md index 695ee99db2..778abbd8c0 100644 --- a/windows/security/threat-protection/auditing/audit-security-system-extension.md +++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md index d0572e5d91..0320c9d421 100644 --- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md +++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -46,7 +46,7 @@ Audit Sensitive Privilege Use contains events that show the usage of sensitive p - Take ownership of files or other objects -The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/en-us/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded. +The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded. This subcategory also contains informational events from the file system Transaction Manager. diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md index 318d0c7c8d..bfd47e55e9 100644 --- a/windows/security/threat-protection/auditing/audit-special-logon.md +++ b/windows/security/threat-protection/auditing/audit-special-logon.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md index 27548edf0f..a244a43880 100644 --- a/windows/security/threat-protection/auditing/audit-system-integrity.md +++ b/windows/security/threat-protection/auditing/audit-system-integrity.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -38,9 +38,9 @@ Violations of security subsystem integrity are critical and could indicate a pot | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
    The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. | -| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
    The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. | -| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
    The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. | +| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
    The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) failure events. | +| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
    The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) failure events. | +| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.
    The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) failure events. | **Events List:** diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md index 8c7ee885fc..3315c7f053 100644 --- a/windows/security/threat-protection/auditing/audit-user-account-management.md +++ b/windows/security/threat-protection/auditing/audit-user-account-management.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md index dbc39068f4..988736426a 100644 --- a/windows/security/threat-protection/auditing/audit-user-device-claims.md +++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md @@ -6,7 +6,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md index 94c4b462f1..8b87a565cb 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md index e1ad77ba01..5ae03bbe81 100644 --- a/windows/security/threat-protection/auditing/basic-audit-account-management.md +++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md index c0a52a4dc4..aea8e2c6a8 100644 --- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md index 9f3210eae2..5ac16f81ca 100644 --- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md index 8492b5fb62..564f09756f 100644 --- a/windows/security/threat-protection/auditing/basic-audit-object-access.md +++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md index 9ff920eda5..d6fa0d9840 100644 --- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md +++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md index 74c74bd180..12b823cf4e 100644 --- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md +++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md index 1282c18871..ada9f8ba66 100644 --- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md +++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md index 2cc15b14cb..1c30f0f216 100644 --- a/windows/security/threat-protection/auditing/basic-audit-system-events.md +++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 31ba69f0e1..87389a5d60 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md index 6f7578b433..814491f237 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md index 6b329771a8..71a8cdfc2c 100644 --- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md +++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.localizationpriority: medium +ms.localizationpriority: none author: brianlic-msft ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md index 13ae345c28..8ae8a12264 100644 --- a/windows/security/threat-protection/auditing/event-1100.md +++ b/windows/security/threat-protection/auditing/event-1100.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md index 61d48236a0..4508e8029a 100644 --- a/windows/security/threat-protection/auditing/event-1102.md +++ b/windows/security/threat-protection/auditing/event-1102.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time Windows Security audit log was cleared. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md index d6928796bc..36c41f9d28 100644 --- a/windows/security/threat-protection/auditing/event-1104.md +++ b/windows/security/threat-protection/auditing/event-1104.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time Windows security log becomes full. -This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”. +This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/library/cc778402(v=ws.10).aspx)”. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -65,5 +65,5 @@ This event generates, for example, if the maximum size of Security Event Log fil ## Security Monitoring Recommendations -- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it. +- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/library/cc778402(v=ws.10).aspx)”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it. diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md index 3fb741e93d..9b170d57a8 100644 --- a/windows/security/threat-protection/auditing/event-1105.md +++ b/windows/security/threat-protection/auditing/event-1105.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time Windows security log becomes full and new event log file was created. -This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx)”. +This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/library/cc721981.aspx)”. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -96,5 +96,5 @@ The time in this event is always in ***GMT+0/UTC+0*** time zone. For 1105(S): Event log automatic backup. -- Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx), then this event will be a sign that some settings are not set to baseline settings or were changed. +- Typically it’s an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](https://technet.microsoft.com/library/cc721981.aspx), then this event will be a sign that some settings are not set to baseline settings or were changed. diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md index 53a761ddd3..937b44bb97 100644 --- a/windows/security/threat-protection/auditing/event-1108.md +++ b/windows/security/threat-protection/auditing/event-1108.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -73,7 +73,7 @@ For example, event 1108 might be generated after an incorrect [4703](event-4703. ***Field Descriptions:*** -**%1** \[Type = UnicodeString\]: the name of [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example: +**%1** \[Type = UnicodeString\]: the name of [security event source](https://msdn.microsoft.com/library/windows/desktop/aa363661(v=vs.85).aspx) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example: Subkeys under Security key illustration diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 40e4b625b8..cff87d7dea 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md index 97ce41dd27..b774388a33 100644 --- a/windows/security/threat-protection/auditing/event-4610.md +++ b/windows/security/threat-protection/auditing/event-4610.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). +This event generates every time [Authentication Package](https://msdn.microsoft.com/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/library/windows/desktop/aa378326(v=vs.85).aspx)). Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs. @@ -65,9 +65,9 @@ Each time the system starts, the LSA loads the Authentication Package DLLs from ***Field Descriptions:*** -**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME. +**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](https://msdn.microsoft.com/library/windows/desktop/aa374733(v=vs.85).aspx). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME. -By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378753(v=vs.85).aspx)”. +By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](https://msdn.microsoft.com/library/windows/desktop/aa378753(v=vs.85).aspx)”. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md index 97cefc2edc..4683b8e287 100644 --- a/windows/security/threat-protection/auditing/event-4611.md +++ b/windows/security/threat-protection/auditing/event-4611.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source. +This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source. At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates. @@ -89,7 +89,7 @@ You typically see these events during operating system startup or user logon and - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 1d0a8fc3ac..4a380aceb6 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md index 83b5ae6f58..5d049126d3 100644 --- a/windows/security/threat-protection/auditing/event-4614.md +++ b/windows/security/threat-protection/auditing/event-4614.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,9 +23,9 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx). +This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/library/cc756748(v=ws.10).aspx). -In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx). +In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/library/windows/desktop/ms721882(v=vs.85).aspx). Password Filters are DLLs that are loaded or called when passwords are set or changed. diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 37c253f26f..2f460fcef2 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 61bcb648f9..8079480ca1 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -96,7 +96,7 @@ You will typically see these events with “**Subject\\Security ID**” = “**L - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md index 624692202b..6f99221add 100644 --- a/windows/security/threat-protection/auditing/event-4618.md +++ b/windows/security/threat-protection/auditing/event-4618.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md index b1e1638791..b0b851608d 100644 --- a/windows/security/threat-protection/auditing/event-4621.md +++ b/windows/security/threat-protection/auditing/event-4621.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event is logged after a system reboots following [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2. +This event is logged after a system reboots following [CrashOnAuditFail](https://technet.microsoft.com/library/cc963220.aspx?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2. There is no example of this event in this document. @@ -39,7 +39,7 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396). +- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](https://technet.microsoft.com/library/cc963220.aspx?f=255&MSPPError=-2147217396). -- If your computers don’t have the [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed. +- If your computers don’t have the [CrashOnAuditFail](https://technet.microsoft.com/library/cc963220.aspx?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed. diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md index b8b8d972af..392f672814 100644 --- a/windows/security/threat-protection/auditing/event-4622.md +++ b/windows/security/threat-protection/auditing/event-4622.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,13 +23,13 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). +This event generates every time [Security Package](https://msdn.microsoft.com/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/library/windows/desktop/aa378326(v=vs.85).aspx)). Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs. Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs. -It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/en-us/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process. +It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index 8ee6f8a44b..4b806cfc45 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -129,7 +129,7 @@ This event generates when a logon session is created (on destination machine). I - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -159,7 +159,7 @@ This event generates when a logon session is created (on destination machine). I If not a **RemoteInteractive** logon, then this will be "-" string. -- **Virtual Account** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., "[Managed Service Account](https://technet.microsoft.com/en-us/library/dd560633(v=ws.10).aspx)"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService". +- **Virtual Account** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., "[Managed Service Account](https://technet.microsoft.com/library/dd560633(v=ws.10).aspx)"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService". - **Elevated Token** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges. @@ -189,7 +189,7 @@ This event generates when a logon session is created (on destination machine). I - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -251,9 +251,9 @@ This event generates when a logon session is created (on destination machine). I - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos. -- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see +- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see -- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/en-us/library/cc236627.aspx) protocol name) that was used during logon. Possible values are: +- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during logon. Possible values are: - “NTLM V1” @@ -263,7 +263,7 @@ This event generates when a logon session is created (on destination machine). I Only populated if “**Authentication Package” = “NTLM”**. -- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/en-us/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. +- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index f06d559a05..2c05bde4a6 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -103,7 +103,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -139,7 +139,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -221,9 +221,9 @@ More information: - **Negotiate** – the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos. -- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see +- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user – most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see -- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/en-us/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are: +- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are: - “NTLM V1” @@ -233,7 +233,7 @@ More information: Only populated if “**Authentication Package” = “NTLM”**. -- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/en-us/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. +- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md index 804c229ae3..d8a85f95bc 100644 --- a/windows/security/threat-protection/auditing/event-4626.md +++ b/windows/security/threat-protection/auditing/event-4626.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -99,7 +99,7 @@ This event generates on the computer to which the logon was performed (target co - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -135,7 +135,7 @@ This event generates on the computer to which the logon was performed (target co - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md index 86c34c7909..43df6798b8 100644 --- a/windows/security/threat-protection/auditing/event-4627.md +++ b/windows/security/threat-protection/auditing/event-4627.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -94,7 +94,7 @@ Multiple events are generated if the group membership information cannot fit in - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -130,7 +130,7 @@ Multiple events are generated if the group membership information cannot fit in - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md index 9f05521e12..8e486213ed 100644 --- a/windows/security/threat-protection/auditing/event-4634.md +++ b/windows/security/threat-protection/auditing/event-4634.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 11/20/2017 --- @@ -89,7 +89,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md index f3f4af3202..fb96f3f25e 100644 --- a/windows/security/threat-protection/auditing/event-4647.md +++ b/windows/security/threat-protection/auditing/event-4647.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -88,7 +88,7 @@ It may be positively correlated with a “[4624](event-4624.md): An account was - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md index 1614e05097..a8a8518c4c 100644 --- a/windows/security/threat-protection/auditing/event-4648.md +++ b/windows/security/threat-protection/auditing/event-4648.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -96,7 +96,7 @@ It is also a routine event which periodically occurs during normal operating sys - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -122,7 +122,7 @@ It is also a routine event which periodically occurs during normal operating sys - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md index 3b378b7682..9214d1fc97 100644 --- a/windows/security/threat-protection/auditing/event-4649.md +++ b/windows/security/threat-protection/auditing/event-4649.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md index b009f0d8eb..68f1286e56 100644 --- a/windows/security/threat-protection/auditing/event-4656.md +++ b/windows/security/threat-protection/auditing/event-4656.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -27,7 +27,7 @@ This event indicates that specific access was requested for an object. The objec If access was declined, a Failure event is generated. -This event generates only if the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights. +This event generates only if the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights. This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.” @@ -107,7 +107,7 @@ This event shows that access was requested, and the results of the request, but - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -174,7 +174,7 @@ This event shows that access was requested, and the results of the request, but | AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
    %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
    **AddSubdirectory -** For a directory, the right to create a subdirectory.
    **CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA
    (For registry objects, this is “Enumerate sub-keys.”) | 0x8,
    %%4419 | The right to read extended file attributes. | | WriteEA | 0x10,
    %%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
    %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| Execute/Traverse | 0x20,
    %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | | DeleteChild | 0x40,
    %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80,
    %%4423 | The right to read file attributes. | | WriteAttributes | 0x100,
    %%4424 | The right to write file attributes. | @@ -197,9 +197,9 @@ This event shows that access was requested, and the results of the request, but | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -231,9 +231,9 @@ This event shows that access was requested, and the results of the request, but | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | -- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. +- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md index 06375a60e0..cf9a1f22b9 100644 --- a/windows/security/threat-protection/auditing/event-4657.md +++ b/windows/security/threat-protection/auditing/event-4657.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates when a registry key ***value*** was modified. It doesn’t generate when a registry key was modified. -This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). +This event generates only if “Set Value" auditing is set in registry key’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx). > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -94,7 +94,7 @@ This event generates only if “Set Value" auditing is set in registry key’s [ - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md index 5ceeb9a280..b8befe0926 100644 --- a/windows/security/threat-protection/auditing/event-4658.md +++ b/windows/security/threat-protection/auditing/event-4658.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ Typically this event is needed if you need to know how long the handle to the ob - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md index 1d464049d7..1eef286432 100644 --- a/windows/security/threat-protection/auditing/event-4660.md +++ b/windows/security/threat-protection/auditing/event-4660.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates when an object was deleted. The object could be a file system, kernel, or registry object. -This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). +This event generates only if “Delete" auditing is set in object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx). This event doesn’t contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion. @@ -93,7 +93,7 @@ The advantage of this event is that it’s generated only during real delete ope - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md index fab58ae85f..f51210b9c3 100644 --- a/windows/security/threat-protection/auditing/event-4661.md +++ b/windows/security/threat-protection/auditing/event-4661.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -98,7 +98,7 @@ This event generates only if Success auditing is enabled for the [Audit Handle M - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -172,9 +172,9 @@ This event generates only if Success auditing is enabled for the [Audit Handle M | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -206,11 +206,11 @@ This event generates only if Success auditing is enabled for the [Audit Handle M | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | - **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory. -- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. +- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md index 945efabaa8..bc4d1b5050 100644 --- a/windows/security/threat-protection/auditing/event-4662.md +++ b/windows/security/threat-protection/auditing/event-4662.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time when an operation was performed on an Active Directory object. -This event generates only if appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL. +This event generates only if appropriate [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL. If operation failed then Failure event will be generated. @@ -98,7 +98,7 @@ You will get one 4662 for each operation type which was performed. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -120,7 +120,7 @@ You will get one 4662 for each operation type which was performed. - groupPolicyContainer – for group policy objects. - For all possible values of **Object Type** open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: + For all possible values of **Object Type** open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: - **Object Name** \[Type = UnicodeString\]: distinguished name of the object that was accessed. @@ -206,7 +206,7 @@ To translate this GUID, use the following procedure: Schema search illustration -Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: . +Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: . Here is an example of decoding of **Properties** field: diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md index 0896af005f..534366322f 100644 --- a/windows/security/threat-protection/auditing/event-4663.md +++ b/windows/security/threat-protection/auditing/event-4663.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device. -This event generates only if object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use. +This event generates only if object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use. The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesn’t have Failure events. @@ -101,7 +101,7 @@ The main difference with “[4656](event-4656.md): A handle to an object was req - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -162,7 +162,7 @@ The main difference with “[4656](event-4656.md): A handle to an object was req | AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
    %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
    **AddSubdirectory -** For a directory, the right to create a subdirectory.
    **CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA
    (For registry objects, this is “Enumerate sub-keys.”) | 0x8,
    %%4419 | The right to read extended file attributes. | | WriteEA | 0x10,
    %%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
    %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| Execute/Traverse | 0x20,
    %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | | DeleteChild | 0x40,
    %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80,
    %%4423 | The right to read file attributes. | | WriteAttributes | 0x100,
    %%4424 | The right to write file attributes. | diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md index 23ee991c1a..af4feb6149 100644 --- a/windows/security/threat-protection/auditing/event-4664.md +++ b/windows/security/threat-protection/auditing/event-4664.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -85,7 +85,7 @@ This event generates when an NTFS hard link was successfully created. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 496c9157ff..008b34039d 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,9 +25,9 @@ ms.date: 04/19/2017 This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object. -This event does not generate if the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed. +This event does not generate if the [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed. -Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL. +Before this event can generate, certain ACEs might need to be set in the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the object’s SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the object’s SACL. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -94,7 +94,7 @@ Before this event can generate, certain ACEs might need to be set in the object - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -250,7 +250,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md index e8f42c6afa..eb364f29f6 100644 --- a/windows/security/threat-protection/auditing/event-4671.md +++ b/windows/security/threat-protection/auditing/event-4671.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md index 04962bc557..baac7dff4d 100644 --- a/windows/security/threat-protection/auditing/event-4672.md +++ b/windows/security/threat-protection/auditing/event-4672.md @@ -5,9 +5,9 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh -ms.date: 04/19/2017 +ms.date: 12/20/2018 --- # 4672(S): Special privileges assigned to new logon. @@ -18,7 +18,7 @@ ms.date: 04/19/2017 Event 4672 illustration - +
    ***Subcategory:*** [Audit Special Logon](audit-special-logon.md) ***Event Description:*** @@ -111,7 +111,7 @@ You typically will see many of these events in the event log, because every logo - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -121,11 +121,11 @@ You typically will see many of these events in the event log, because every logo | Privilege Name | User Right Group Policy Name | Description | |-------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | -| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | +| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | | SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.
    With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.
    The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. | | SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | | SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.
    With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. | diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md index 8749baa01b..a37fc4fdc7 100644 --- a/windows/security/threat-protection/auditing/event-4673.md +++ b/windows/security/threat-protection/auditing/event-4673.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -91,7 +91,7 @@ Failure event generates when service call attempt fails. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -157,7 +157,7 @@ Failure event generates when service call attempt fails. | **Subcategory of event** | **Privilege Name:
    User Right Group Policy Name** | **Description** | |-------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
    **Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
    **Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | Audit Sensitive Privilege Use | **SeAuditPrivilege:
    **Generate security audits | With this privilege, the user can add entries to the security log. | | Audit Sensitive Privilege Use | **SeCreateTokenPrivilege:
    **Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | | Audit Sensitive Privilege Use | **SeDebugPrivilege:
    **Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. | diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md index 58934e4de7..a7403d9250 100644 --- a/windows/security/threat-protection/auditing/event-4674.md +++ b/windows/security/threat-protection/auditing/event-4674.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -94,7 +94,7 @@ Failure event generates when operation attempt fails. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -179,9 +179,9 @@ Failure event generates when operation attempt fails. | **Subcategory of event** | **Privilege Name:
    User Right Group Policy Name** | **Description** | |-------------------------------|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
    **Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege:
    **Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | Audit Sensitive Privilege Use | **SeAuditPrivilege:
    **Generate security audits | With this privilege, the user can add entries to the security log. | -| Audit Sensitive Privilege Use | **SeBackupPrivilege:
    **Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
    The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| Audit Sensitive Privilege Use | **SeBackupPrivilege:
    **Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
    The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | Audit Sensitive Privilege Use | **SeCreateTokenPrivilege:
    **Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.
    When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. | | Audit Sensitive Privilege Use | **SeDebugPrivilege:
    **Debug programs | Required to debug and adjust the memory of a process owned by another account.
    With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right.
    This user right provides complete access to sensitive and critical operating system components. | | Audit Sensitive Privilege Use | **SeImpersonatePrivilege:
    **Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. | diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md index f5946c9298..8b6c45689b 100644 --- a/windows/security/threat-protection/auditing/event-4675.md +++ b/windows/security/threat-protection/auditing/event-4675.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -19,7 +19,7 @@ ms.date: 04/19/2017 This event generates when SIDs were filtered for specific Active Directory trust. -See more information about SID filtering here: . +See more information about SID filtering here: . > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index eef6cadbee..013d9b7aef 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -109,7 +109,7 @@ This event generates every time a new process starts. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -133,7 +133,7 @@ This event generates every time a new process starts. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -157,7 +157,7 @@ This event generates every time a new process starts. - **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. -- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values: +- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values: | SID | RID | RID label | Meaning | |--------------|------------|----------------------------------------------|------------------------| diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md index dceac91e41..cb7fd77b72 100644 --- a/windows/security/threat-protection/auditing/event-4689.md +++ b/windows/security/threat-protection/auditing/event-4689.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -85,7 +85,7 @@ This event generates every time a process has exited. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md index 88b3db7b2f..5959189ef0 100644 --- a/windows/security/threat-protection/auditing/event-4690.md +++ b/windows/security/threat-protection/auditing/event-4690.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ This event generates if an attempt was made to duplicate a handle to an object. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md index 2ccb4ed0a9..e0ba6fb4f2 100644 --- a/windows/security/threat-protection/auditing/event-4691.md +++ b/windows/security/threat-protection/auditing/event-4691.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event indicates that indirect access to an object was requested. -These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions. +These events are generated for [ALPC Ports](https://msdn.microsoft.com/library/windows/desktop/aa964738(v=vs.85).aspx) access request actions. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -89,7 +89,7 @@ These events are generated for [ALPC Ports](https://msdn.microsoft.com/en-us/lib - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md index e1eaefb348..77e4da1228 100644 --- a/windows/security/threat-protection/auditing/event-4692.md +++ b/windows/security/threat-protection/auditing/event-4692.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key. +This event generates every time that a backup is attempted for the [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Master Key. When a computer is a member of a domain, DPAPI has a backup mechanism to allow unprotection of the data. When a Master Key is generated, DPAPI communicates with a domain controller. Domain controllers have a domain-wide public/private key pair, associated solely with DPAPI. The local DPAPI client gets the domain controller public key from a domain controller by using a mutually authenticated and privacy protected RPC call. The client encrypts the Master Key with the domain controller public key. It then stores this backup Master Key along with the Master Key protected by the user's password. @@ -96,7 +96,7 @@ Failure event generates when a Master Key backup operation fails for some reason - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md index e9f776d0ca..bc0733db9c 100644 --- a/windows/security/threat-protection/auditing/event-4693.md +++ b/windows/security/threat-protection/auditing/event-4693.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Master Key. +This event generates every time that recovery is attempted for a [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) Master Key. While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call. The domain controller then decrypts the Master Key with its private key and sends it back to the client by using the same protected RPC call. This protected RPC call is used to ensure that no one listening on the network can get the Master Key. @@ -93,7 +93,7 @@ Failure event generates when a Master Key restore operation fails for some reaso - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md index b8b2d4fde7..69a89c89cb 100644 --- a/windows/security/threat-protection/auditing/event-4694.md +++ b/windows/security/threat-protection/auditing/event-4694.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates if [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)  [**CryptProtectData**](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. +This event generates if [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx)  [**CryptProtectData**](https://msdn.microsoft.com/library/windows/desktop/aa380261(v=vs.85).aspx)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md index 5bc050e752..d29cf80e5f 100644 --- a/windows/security/threat-protection/auditing/event-4695.md +++ b/windows/security/threat-protection/auditing/event-4695.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates if [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) [CryptUnprotectData](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380882(v=vs.85).aspx)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380261(v=vs.85).aspx)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. +This event generates if [DPAPI](https://msdn.microsoft.com/library/ms995355.aspx) [CryptUnprotectData](https://msdn.microsoft.com/library/windows/desktop/aa380882(v=vs.85).aspx)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](https://msdn.microsoft.com/library/windows/desktop/aa380261(v=vs.85).aspx)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md index 94e30520f0..ee53883c2f 100644 --- a/windows/security/threat-protection/auditing/event-4696.md +++ b/windows/security/threat-protection/auditing/event-4696.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -92,7 +92,7 @@ This event generates every time a process runs using the non-current access toke - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -134,7 +134,7 @@ This event generates every time a process runs using the non-current access toke - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md index 608cf4412e..86c985d030 100644 --- a/windows/security/threat-protection/auditing/event-4697.md +++ b/windows/security/threat-protection/auditing/event-4697.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -87,7 +87,7 @@ This event generates when new service was installed in the system. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -103,7 +103,7 @@ This event generates when new service was installed in the system. Note that this is the path to the file when the service is created. If the path is changed afterwards, the change is not logged. This would have to be tracked via Process Create events. -- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/en-us/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following: +- **Service Type** \[Type = HexInt32\]: Indicates the [type](https://msdn.microsoft.com/library/tfdtdw0e(v=vs.110).aspx?cs-save-lang=1&cs-lang=csharp#code-snippet-1) of service that was registered with the Service Control Manager. It can be one of the following: | Value | Service Type | Description | |-------|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -111,11 +111,11 @@ This event generates when new service was installed in the system. | 0x2 | ​File System Driver | ​A file system driver, which is also a Kernel device driver. | | 0x8 | ​Recognizer Driver | ​A file system driver used during startup to determine the file systems present on the system. | | 0x10 | ​Win32 Own Process | ​A Win32 program that can be started by the Service Controller and that obeys the service control protocol. This type of Win32 service runs in a process by itself (this is the most common). | -| 0x20 | ​Win32 Share Process | ​A Win32 service that can share a process with other Win32 services.
    (see: | -| 0x110 | ​Interactive Own Process | ​A service that should be run as a standalone process and can communicate with the desktop.
    (see: ) | +| 0x20 | ​Win32 Share Process | ​A Win32 service that can share a process with other Win32 services.
    (see: | +| 0x110 | ​Interactive Own Process | ​A service that should be run as a standalone process and can communicate with the desktop.
    (see: ) | | 0x120 | Interactive Share Process | A service that can share address space with other services of the same type and can communicate with the desktop. | -- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: : +- **Service Start Type** \[Type = HexInt32\]: The service start type can have one of the following values (see: : | Value | Service Type | Description | |-------|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------| diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md index 0ea9a8bfcb..f47bfb676a 100644 --- a/windows/security/threat-protection/auditing/event-4698.md +++ b/windows/security/threat-protection/auditing/event-4698.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time a new scheduled task is created. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -96,7 +96,7 @@ This event generates every time a new scheduled task is created. Task Scheduler Library illustration -- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx).” +- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) content of the new task. For more information about the XML format for scheduled tasks, see “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx).” ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md index f4deaf1e26..fbe8720d38 100644 --- a/windows/security/threat-protection/auditing/event-4699.md +++ b/windows/security/threat-protection/auditing/event-4699.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time a scheduled task was deleted. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -96,7 +96,7 @@ This event generates every time a scheduled task was deleted. Task Scheduler Library illustration -- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the deleted task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. +- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) of the deleted task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md index b6550f63e8..02a1cd7a54 100644 --- a/windows/security/threat-protection/auditing/event-4700.md +++ b/windows/security/threat-protection/auditing/event-4700.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time a scheduled task is enabled. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -96,7 +96,7 @@ This event generates every time a scheduled task is enabled. Task Scheduler Library illustration -- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the enabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. +- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) of the enabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md index 66c0fdbe24..6482686719 100644 --- a/windows/security/threat-protection/auditing/event-4701.md +++ b/windows/security/threat-protection/auditing/event-4701.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time a scheduled task is disabled. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -96,7 +96,7 @@ This event generates every time a scheduled task is disabled. Task Scheduler Library illustration -- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) of the disabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. +- **Task Content** \[Type = UnicodeString\]: the [XML](https://msdn.microsoft.com/library/aa286548.aspx) of the disabled task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md index 9b344d520b..1cd62dc082 100644 --- a/windows/security/threat-protection/auditing/event-4702.md +++ b/windows/security/threat-protection/auditing/event-4702.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time scheduled task was updated/changed. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -96,7 +96,7 @@ This event generates every time scheduled task was updated/changed. Task Scheduler Library illustration -- **Task New Content** \[Type = UnicodeString\]: the new [XML](https://msdn.microsoft.com/en-us/library/aa286548.aspx) for the updated task. Here “[XML Task Definition Format](https://msdn.microsoft.com/en-us/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. +- **Task New Content** \[Type = UnicodeString\]: the new [XML](https://msdn.microsoft.com/library/aa286548.aspx) for the updated task. Here “[XML Task Definition Format](https://msdn.microsoft.com/library/cc248308.aspx)” you can read more about the XML format for scheduled tasks. ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md index 3a33b7fb1a..3fbaa67128 100644 --- a/windows/security/threat-protection/auditing/event-4703.md +++ b/windows/security/threat-protection/auditing/event-4703.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703. +This event generates when [token privileges](https://msdn.microsoft.com/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific account’s token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -94,7 +94,7 @@ Token privileges provide the ability to take certain system-level actions that y - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -116,7 +116,7 @@ Token privileges provide the ability to take certain system-level actions that y - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -140,9 +140,9 @@ Token privileges provide the ability to take certain system-level actions that y | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -174,7 +174,7 @@ Token privileges provide the ability to take certain system-level actions that y | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | **Disabled Privileges** \[Type = UnicodeString\]**:** the list of disabled user rights. See possible values in the table above. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index 2f3c13af0b..3904837027 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ You will see unique event for every user. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -102,9 +102,9 @@ You will see unique event for every user. | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -136,7 +136,7 @@ You will see unique event for every user. | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index 9411db16ba..c5e09ceddf 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ You will see unique event for every user. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -102,9 +102,9 @@ You will see unique event for every user. | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -136,7 +136,7 @@ You will see unique event for every user. | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md index b0d1108d01..4b8feef3f1 100644 --- a/windows/security/threat-protection/auditing/event-4706.md +++ b/windows/security/threat-protection/auditing/event-4706.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ This event is generated only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -110,7 +110,7 @@ This event is generated only on domain controllers. |-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. | | 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. | -| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). | +| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). | | 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. | - **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. The following table contains possible values for this field: @@ -127,17 +127,17 @@ This event is generated only on domain controllers. | Value | Attribute Value | Description | |-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | -| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | -| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | +| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/library/cc237940.aspx). | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | -- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: +- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/library/cc772633(v=ws.10).aspx) state for the new trust: - Enabled diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md index 85c6887b71..3f8f230754 100644 --- a/windows/security/threat-protection/auditing/event-4707.md +++ b/windows/security/threat-protection/auditing/event-4707.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ This event is generated only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md index f8c17d0d23..f6501093b7 100644 --- a/windows/security/threat-protection/auditing/event-4713.md +++ b/windows/security/threat-protection/auditing/event-4713.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -85,7 +85,7 @@ This event is generated only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md index 45e1db3e65..cc78c83197 100644 --- a/windows/security/threat-protection/auditing/event-4714.md +++ b/windows/security/threat-protection/auditing/event-4714.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,11 +23,11 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/en-us/library/cc700811.aspx)) has changed. +This event generates when a Data Recovery Agent group policy for Encrypting File System ([EFS](https://technet.microsoft.com/library/cc700811.aspx)) has changed. -This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/en-us/library/cc778208(v=ws.10).aspx) was changed for the computer or device. +This event generates when a Data Recovery Agent certificate or [Data Recovery Agent policy](https://technet.microsoft.com/library/cc778208(v=ws.10).aspx) was changed for the computer or device. -In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/en-us/library/cc232284.aspx) registry value is changed during a Group Policy update. +In the background, this event generates when the [\\HKLM\\Software\\Policies\\Microsoft\\SystemCertificates\\EFS\\EfsBlob](https://msdn.microsoft.com/library/cc232284.aspx) registry value is changed during a Group Policy update. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 31b4ed376d..0b6e732faf 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -208,7 +208,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md index 6389cea265..651817d90c 100644 --- a/windows/security/threat-protection/auditing/event-4716.md +++ b/windows/security/threat-protection/auditing/event-4716.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ This event is generated only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -110,7 +110,7 @@ This event is generated only on domain controllers. |-------|------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 | TRUST\_TYPE\_DOWNLEVEL | The domain controller of the trusted domain is a computer running an operating system earlier than Windows 2000. | | 2 | TRUST\_TYPE\_UPLEVEL | The domain controller of the trusted domain is a computer running Windows 2000 or later. | -| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). | +| 3 | TRUST\_TYPE\_MIT | The trusted domain is running a non-Windows, RFC4120-compliant Kerberos distribution. This type of trust is distinguished in that (1) a [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) is not required for the [TDO](https://msdn.microsoft.com/library/cc223126.aspx#gt_f2ceef4e-999b-4276-84cd-2e2829de5fc4), and (2) the default key types include the DES-CBC and DES-CRC encryption types (see [\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458) section 8.1). | | 4 | TRUST\_TYPE\_DCE | The trusted domain is a DCE realm. Historical reference, this value is not used in Windows. | - **Trust Direction** \[Type = UInt32\]**:** the direction of new trust. If this attribute was not changed, then it will have “**-**“ value or its old value. The following table contains possible values for this field: @@ -127,17 +127,17 @@ This event is generated only on domain controllers. | Value | Attribute Value | Description | |-------|------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 0x1 | TRUST\_ATTRIBUTE\_NON\_TRANSITIVE | If this bit is set, then the trust cannot be used transitively. For example, if domain A trusts domain B, which in turn trusts domain C, and the A<-->B trust has this attribute set, then a client in domain A cannot authenticate to a server in domain C over the A<-->B<-->C trust linkage. | -| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | -| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/en-us/library/cc237940.aspx). | -| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/en-us/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/en-us/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/en-us/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x2 | TRUST\_ATTRIBUTE\_UPLEVEL\_ONLY | If this bit is set in the attribute, then only Windows 2000 operating system and newer clients may use the trust link. [Netlogon](https://msdn.microsoft.com/library/cc223126.aspx#gt_70771a5a-04a3-447d-981b-e03098808c32) does not consume [trust objects](https://msdn.microsoft.com/library/cc223126.aspx#gt_e81f6436-01d2-4311-93a4-4316bb67eabd) that have this flag set. | +| 0x4 | TRUST\_ATTRIBUTE\_QUARANTINED\_DOMAIN | If this bit is set, the trusted domain is quarantined and is subject to the rules of [SID](https://msdn.microsoft.com/library/cc223126.aspx#gt_83f2020d-0804-4840-a5ac-e06439d50f8d) Filtering as described in [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section [4.1.2.2](https://msdn.microsoft.com/library/cc237940.aspx). | +| 0x8 | TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE | If this bit is set, the trust link is a [cross-forest trust](https://msdn.microsoft.com/library/cc223126.aspx#gt_86f3dbf2-338f-462e-8c5b-3c8e05798dbc) [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) between the root domains of two [forests](https://msdn.microsoft.com/library/cc223126.aspx#gt_fd104241-4fb3-457c-b2c4-e0c18bb20b62), both of which are running in a [forest functional level](https://msdn.microsoft.com/library/cc223126.aspx#gt_b3240417-ca43-4901-90ec-fde55b32b3b8) of DS\_BEHAVIOR\_WIN2003 or greater.
    Only evaluated on Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x10 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION | If this bit is set, then the trust is to a domain or forest that is not part of the [organization](https://msdn.microsoft.com/library/cc223126.aspx#gt_6fae7775-5232-4206-b452-f298546ab54f). The behavior controlled by this bit is explained in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section [3.3.5.7.5](https://msdn.microsoft.com/library/cc233949.aspx) and [\[MS-APDS\]](https://msdn.microsoft.com/library/cc223948.aspx) section [3.1.5](https://msdn.microsoft.com/library/cc223991.aspx).
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | | 0x20 | TRUST\_ATTRIBUTE\_WITHIN\_FOREST | If this bit is set, then the trusted domain is within the same forest.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/en-us/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | -| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/en-us/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/en-us/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | -| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/en-us/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | -| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/en-us/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | +| 0x40 | TRUST\_ATTRIBUTE\_TREAT\_AS\_EXTERNAL | If this bit is set, then a cross-forest trust to a domain is to be treated as an external trust for the purposes of SID Filtering. Cross-forest trusts are more stringently [filtered](https://msdn.microsoft.com/library/cc223126.aspx#gt_ffbe7b55-8e84-4f41-a18d-fc29191a4cda) than external trusts. This attribute relaxes those cross-forest trusts to be equivalent to external trusts. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
    Only evaluated on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016.
    Only evaluated if SID Filtering is used.
    Only evaluated on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can only be set if forest and trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WIN2003 or greater. | +| 0x80 | TRUST\_ATTRIBUTE\_USES\_RC4\_ENCRYPTION | This bit is set on trusts with the [trustType](https://msdn.microsoft.com/library/cc220955.aspx) set to TRUST\_TYPE\_MIT, which are capable of using RC4 keys. Historically, MIT Kerberos distributions supported only DES and 3DES keys ([\[RFC4120\]](https://go.microsoft.com/fwlink/?LinkId=90458), [\[RFC3961\]](https://go.microsoft.com/fwlink/?LinkId=90450)). MIT 1.4.1 adopted the RC4HMAC encryption type common to Windows 2000 [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx), so trusted domains deploying later versions of the MIT distribution required this bit. For more information, see "Keys and Trusts", section [6.1.6.9.1](https://msdn.microsoft.com/library/cc223782.aspx).
    Only evaluated on TRUST\_TYPE\_MIT | +| 0x200 | TRUST\_ATTRIBUTE\_CROSS\_ORGANIZATION\_NO\_TGT\_DELEGATION | If this bit is set, tickets granted under this trust MUST NOT be trusted for delegation. The behavior controlled by this bit is as specified in [\[MS-KILE\]](https://msdn.microsoft.com/library/cc233855.aspx) section 3.3.5.7.5.
    Only supported on Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016. | +| 0x400 | TRUST\_ATTRIBUTE\_PIM\_TRUST | If this bit and the TATE bit are set, then a cross-forest trust to a domain is to be treated as Privileged Identity Management trust for the purposes of SID Filtering. For more information on how each trust type is filtered, see [\[MS-PAC\]](https://msdn.microsoft.com/library/cc237917.aspx) section 4.1.2.2.
    Evaluated only on Windows Server 2016
    Evaluated only if SID Filtering is used.
    Evaluated only on cross-forest trusts having TRUST\_ATTRIBUTE\_FOREST\_TRANSITIVE.
    Can be set only if the forest and the trusted forest are running in a forest functional level of DS\_BEHAVIOR\_WINTHRESHOLD or greater. | -- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx) state for the new trust: +- **SID Filtering** \[Type = UnicodeString\]: [SID Filtering](https://technet.microsoft.com/library/cc772633(v=ws.10).aspx) state for the new trust: - Enabled diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index 4921434446..f1833293fe 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account. +This event generates every time local [logon user right policy](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx) is changed and logon right was granted to an account. You will see unique event for every user if logon user rights were granted to multiple accounts. @@ -86,7 +86,7 @@ You will see unique event for every user if logon user rights were granted to mu - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -98,7 +98,7 @@ You will see unique event for every user if logon user rights were granted to mu **Access Granted: ** -- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx), which are as follows: +- **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: | Value | Group Policy Name | |-----------------------------------|-----------------------------------------------| diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index db47f55f93..ea94079bdc 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time local [logon user right policy](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account. +This event generates every time local [logon user right policy](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx) is changed and logon right was removed from an account. You will see unique event for every user if logon user rights were removed for multiple accounts. @@ -86,7 +86,7 @@ You will see unique event for every user if logon user rights were removed for m - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -98,7 +98,7 @@ You will see unique event for every user if logon user rights were removed for m **Access Removed: ** -- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/en-us/library/cc728212(v=ws.10).aspx), which are as follows: +- **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: | Value | Group Policy Name | |-----------------------------------|-----------------------------------------------| diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md index d67898fd2e..43b26f9c62 100644 --- a/windows/security/threat-protection/auditing/event-4719.md +++ b/windows/security/threat-protection/auditing/event-4719.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -88,7 +88,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md index c182112703..06cde0c498 100644 --- a/windows/security/threat-protection/auditing/event-4720.md +++ b/windows/security/threat-protection/auditing/event-4720.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -106,7 +106,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -158,7 +158,7 @@ Typically, **Primary Group** field for new user accounts has the following value - 513 (Domain Users. For local accounts this RID means Users) – for domain and local users. - See this article for more information. This parameter contains the value of **primaryGroupID** attribute of new user object. + See this article for more information. This parameter contains the value of **primaryGroupID** attribute of new user object. diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md index 261f9cb975..2ffb8b34b5 100644 --- a/windows/security/threat-protection/auditing/event-4722.md +++ b/windows/security/threat-protection/auditing/event-4722.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -89,7 +89,7 @@ For computer accounts, this event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md index d0bea5eb68..e88c3d903f 100644 --- a/windows/security/threat-protection/auditing/event-4723.md +++ b/windows/security/threat-protection/auditing/event-4723.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -96,7 +96,7 @@ Typically you will see 4723 events with the same **Subject\\Security ID** and ** - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md index b3913f0cbe..30fa06cd49 100644 --- a/windows/security/threat-protection/auditing/event-4724.md +++ b/windows/security/threat-protection/auditing/event-4724.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -95,7 +95,7 @@ For local accounts, a Failure event generates if the new password fails to meet - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md index 72a9797d2d..d9ba921f61 100644 --- a/windows/security/threat-protection/auditing/event-4725.md +++ b/windows/security/threat-protection/auditing/event-4725.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -89,7 +89,7 @@ For computer accounts, this event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md index b3dfd1467b..4f06fa9db3 100644 --- a/windows/security/threat-protection/auditing/event-4726.md +++ b/windows/security/threat-protection/auditing/event-4726.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -88,7 +88,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md index 9f840372e7..46fab06fe0 100644 --- a/windows/security/threat-protection/auditing/event-4731.md +++ b/windows/security/threat-protection/auditing/event-4731.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md index b032541291..e54aefcacd 100644 --- a/windows/security/threat-protection/auditing/event-4732.md +++ b/windows/security/threat-protection/auditing/event-4732.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -94,7 +94,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -104,7 +104,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group - **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event. -- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. +- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if new member is a domain account. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. @@ -134,7 +134,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”. - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md index 5803a7a96d..5777c86a8c 100644 --- a/windows/security/threat-protection/auditing/event-4733.md +++ b/windows/security/threat-protection/auditing/event-4733.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -94,7 +94,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -104,7 +104,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group - **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event. -- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. +- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For local groups this field typically has “**-**“ value, even if removed member is a domain account. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. @@ -140,7 +140,7 @@ You will typically see “[4735](event-4735.md): A security-enabled local group - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md index 336f98cd2d..c2983b6206 100644 --- a/windows/security/threat-protection/auditing/event-4734.md +++ b/windows/security/threat-protection/auditing/event-4734.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -88,7 +88,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -110,7 +110,7 @@ This event generates on domain controllers, member servers, and workstations. - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”. - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md index ea6a0f906b..13641daa1a 100644 --- a/windows/security/threat-protection/auditing/event-4735.md +++ b/windows/security/threat-protection/auditing/event-4735.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -98,7 +98,7 @@ From 4735 event you can get information about changes of **sAMAccountName** and - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -124,13 +124,13 @@ From 4735 event you can get information about changes of **sAMAccountName** and - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”. - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Changed Attributes:** > **Note**  If attribute was not changed it will have “-“ value. -You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4735 event will generate, but all attributes will be “-“. +You might see a 4735 event without any changes inside, that is, where all Changed Attributes apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4735 event will generate, but all attributes will be “-“. - **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk. For local groups it is simply a new name of the group, if it was changed. diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 6a0c6f7fec..d5d82e4672 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -29,7 +29,7 @@ This event generates on domain controllers, member servers, and workstations. For each change, a separate 4738 event will be generated. -You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“. +You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4738 event will generate, but all attributes will be “-“. Some changes do not invoke a 4738 event. @@ -113,7 +113,7 @@ Some changes do not invoke a 4738 event. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -171,7 +171,7 @@ Typical **Primary Group** values for user accounts: - 513 (Domain Users. For local accounts this RID means Users) – for domain and local users. - See this article for more information. If the value of **primaryGroupID** attribute of user object was changed, you will see the new value here. + See this article for more information. If the value of **primaryGroupID** attribute of user object was changed, you will see the new value here. diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md index b4ce931ca3..cf13afb5d6 100644 --- a/windows/security/threat-protection/auditing/event-4739.md +++ b/windows/security/threat-protection/auditing/event-4739.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -97,8 +97,8 @@ This event generates when one of the following changes was made to local compute |-----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------| | Lockout Policy | Computer’s “\\Security Settings\\Account Policies\\Account Lockout Policy” settings were modified. | | Password Policy | Computer's “\\Security Settings\\Account Policies\\Password Policy” settings were modified. | -| Logoff Policy | "[Network security: Force logoff when logon hours expire](https://technet.microsoft.com/en-us/library/jj852195.aspx)" group policy setting was changed. | -| - | Machine Account Quota ([ms-DS-MachineAccountQuota](https://technet.microsoft.com/en-us/library/dd391926(v=ws.10).aspx)) domain attribute was modified. | +| Logoff Policy | "[Network security: Force logoff when logon hours expire](https://technet.microsoft.com/library/jj852195.aspx)" group policy setting was changed. | +| - | Machine Account Quota ([ms-DS-MachineAccountQuota](https://technet.microsoft.com/library/dd391926(v=ws.10).aspx)) domain attribute was modified. | **Subject:** @@ -116,7 +116,7 @@ This event generates when one of the following changes was made to local compute - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -159,11 +159,11 @@ This event generates when one of the following changes was made to local compute - **Password History Length** \[Type = UnicodeString\]: “\\Security Settings\\Account Policies\\Password Policy\\Enforce password history” group policy. Numeric value. -- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](https://technet.microsoft.com/en-us/library/dd391926(v=ws.10).aspx) domain attribute was modified. Numeric value. +- **Machine Account Quota** \[Type = UnicodeString\]: [ms-DS-MachineAccountQuota](https://technet.microsoft.com/library/dd391926(v=ws.10).aspx) domain attribute was modified. Numeric value. - **Mixed Domain Mode** \[Type = UnicodeString\]: there is no information about this field in this document. -- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](https://msdn.microsoft.com/en-us/library/cc223742.aspx) domain attribute was modified. Numeric value. Possible values: +- **Domain Behavior Version** \[Type = UnicodeString\]: [msDS-Behavior-Version](https://msdn.microsoft.com/library/cc223742.aspx) domain attribute was modified. Numeric value. Possible values: | Value | Identifier | Domain controller operating systems that are allowed in the domain | |-------|---------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| @@ -184,9 +184,9 @@ This event generates when one of the following changes was made to local compute | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -218,7 +218,7 @@ This event generates when one of the following changes was made to local compute | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md index 766edfb035..5b75d39f07 100644 --- a/windows/security/threat-protection/auditing/event-4740.md +++ b/windows/security/threat-protection/auditing/event-4740.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -87,7 +87,7 @@ For user accounts, this event generates on domain controllers, member servers, a - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md index 9fcabb2b06..644d25ee98 100644 --- a/windows/security/threat-protection/auditing/event-4741.md +++ b/windows/security/threat-protection/auditing/event-4741.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -108,7 +108,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” @@ -160,7 +160,7 @@ Typically, **Primary Group** field for new computer accounts has the following v - 515 (Domain Computers) – for member servers and workstations. - See this article for more information. This parameter contains the value of **primaryGroupID** attribute of new computer object. + See this article for more information. This parameter contains the value of **primaryGroupID** attribute of new computer object. @@ -256,9 +256,9 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT | Privilege Name | User Right Group Policy Name | Description | |---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | +| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process.
    With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. | | SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. | -| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | +| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations.
    With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.
    This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:
    READ\_CONTROL
    ACCESS\_SYSTEM\_SECURITY
    FILE\_GENERIC\_READ
    FILE\_TRAVERSE | | SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks.
    With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. | | SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. | | SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. | @@ -290,7 +290,7 @@ So this UAC flags value decodes to: LOCKOUT and SCRIPT | SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. | | SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. | | SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.
    With this privilege, the user can undock a portable computer from its docking station without logging on. | -| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | +| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. | > Table 8. User Privileges. diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 81c06e259a..9786485ce5 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -33,7 +33,7 @@ For each change, a separate 4742 event will be generated. Some changes do not invoke a 4742 event, for example, changes made using Active Directory Users and Computers management console in **Managed By** tab in computer account properties. -You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“. +You might see this event without any changes inside, that is, where all **Changed Attributes** apear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the **Description** of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4742 event will generate, but all attributes will be “-“. ***Important*:** If you manually change any user-related setting or attribute, for example if you set the SMARTCARD\_REQUIRED flag in **userAccountControl** for the computer account, then the **sAMAccountType** of the computer account will be changed to NORMAL\_USER\_ACCOUNT and you will get “[4738](event-4738.md): A user account was changed” instead of 4742 for this computer account. Essentially, the computer account will “become” a user account. For NORMAL\_USER\_ACCOUNT you will always get events from [Audit User Account Management](audit-user-account-management.md) subcategory. We strongly recommend that you avoid changing any user-related settings manually for computer objects. @@ -119,7 +119,7 @@ You might see this event without any changes inside, that is, where all **Change - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” @@ -175,7 +175,7 @@ Typical **Primary Group** values for computer accounts: - 515 (Domain Computers) – servers and workstations. - See this article for more information. If the value of **primaryGroupID** attribute of computer object was changed, you will see the new value here. + See this article for more information. If the value of **primaryGroupID** attribute of computer object was changed, you will see the new value here. diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md index a6a08ce668..4fed97ce70 100644 --- a/windows/security/threat-protection/auditing/event-4743.md +++ b/windows/security/threat-protection/auditing/event-4743.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -88,7 +88,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md index adf348858e..8a1d247664 100644 --- a/windows/security/threat-protection/auditing/event-4749.md +++ b/windows/security/threat-protection/auditing/event-4749.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md index c6f9458b13..950304d0ac 100644 --- a/windows/security/threat-protection/auditing/event-4750.md +++ b/windows/security/threat-protection/auditing/event-4750.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -98,7 +98,7 @@ From 4750 event you can get information about changes of **sAMAccountName** and - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” @@ -120,13 +120,13 @@ From 4750 event you can get information about changes of **sAMAccountName** and - Uppercase full domain name: CONTOSO.LOCAL - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Changed Attributes:** > **Note**  If attribute was not changed it will have “-“ value. -> **Note**  You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“. +> **Note**  You might see a 4750 event without any changes inside, that is, where all **Changed Attributes** appear as “-“. This usually happens when a change is made to an attribute that is not listed in the event. In this case there is no way to determine which attribute was changed. For example, this would happen if you change the Description of a group object using the Active Directory Users and Computers administrative console. Also, if the [discretionary access control list](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) (DACL) is changed, a 4750 event will generate, but all attributes will be “-“. - **SAM Account Name** \[Type = UnicodeString\]: This is a new name of changed group used to support clients and servers from previous versions of Windows (pre-Windows 2000 logon name). If the value of **sAMAccountName** attribute of group object was changed, you will see the new value here. For example: ServiceDesk. diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md index a54bc67494..d927083a15 100644 --- a/windows/security/threat-protection/auditing/event-4751.md +++ b/windows/security/threat-protection/auditing/event-4751.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -98,7 +98,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. @@ -108,7 +108,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou - **Security ID** \[Type = SID\]**:** SID of account that was added to the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event. -- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. +- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was added to the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. @@ -138,7 +138,7 @@ You will typically see “[4750](event-4750.md): A security-disabled global grou - Uppercase full domain name: CONTOSO.LOCAL - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md index 67b6917c57..199438a1d9 100644 --- a/windows/security/threat-protection/auditing/event-4752.md +++ b/windows/security/threat-protection/auditing/event-4752.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -92,7 +92,7 @@ For every removed member you will get separate 4752 event. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” @@ -100,7 +100,7 @@ For every removed member you will get separate 4752 event. - **Security ID** \[Type = SID\]**:** SID of account that was removed from the group. Event Viewer automatically tries to resolve SIDs and show the group name. If the SID cannot be resolved, you will see the source data in the event. -- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. +- **Account Name** \[Type = UnicodeString\]: distinguished name of account that was removed from the group. For example: “CN=Auditor,CN=Users,DC=contoso,DC=local”. For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “-”. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. @@ -128,7 +128,7 @@ For every removed member you will get separate 4752 event. - Uppercase full domain name: CONTOSO.LOCAL - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md index 6f7ea445cc..d4923509bb 100644 --- a/windows/security/threat-protection/auditing/event-4753.md +++ b/windows/security/threat-protection/auditing/event-4753.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -88,7 +88,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.” @@ -106,7 +106,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md index 914faaec85..cecc86b9e7 100644 --- a/windows/security/threat-protection/auditing/event-4764.md +++ b/windows/security/threat-protection/auditing/event-4764.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -126,7 +126,7 @@ This event generates only on domain controllers. - For a local group, this field will contain the name of the computer to which this new group belongs, for example: “Win81”. - - [Built-in groups](https://technet.microsoft.com/en-us/library/dn169025(v=ws.10).aspx): Builtin + - [Built-in groups](https://technet.microsoft.com/library/dn169025(v=ws.10).aspx): Builtin **Additional Information:** diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md index 9930e1add7..ac6d94888e 100644 --- a/windows/security/threat-protection/auditing/event-4765.md +++ b/windows/security/threat-protection/auditing/event-4765.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,9 +17,9 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates when [SID History](https://msdn.microsoft.com/en-us/library/ms679833(v=vs.85).aspx) was added to an account. +This event generates when [SID History](https://msdn.microsoft.com/library/ms679833(v=vs.85).aspx) was added to an account. -See more information about SID History here: . +See more information about SID History here: . There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md index 03e5f98777..044a240197 100644 --- a/windows/security/threat-protection/auditing/event-4766.md +++ b/windows/security/threat-protection/auditing/event-4766.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,9 +17,9 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates when an attempt to add [SID History](https://msdn.microsoft.com/en-us/library/ms679833(v=vs.85).aspx) to an account failed. +This event generates when an attempt to add [SID History](https://msdn.microsoft.com/library/ms679833(v=vs.85).aspx) to an account failed. -See more information about SID History here: . +See more information about SID History here: . There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md index e9c94bc2b7..0518658323 100644 --- a/windows/security/threat-protection/auditing/event-4767.md +++ b/windows/security/threat-protection/auditing/event-4767.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -87,7 +87,7 @@ For user accounts, this event generates on domain controllers, member servers, a - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md index dfad68c114..1b51cf8491 100644 --- a/windows/security/threat-protection/auditing/event-4768.md +++ b/windows/security/threat-protection/auditing/event-4768.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -116,7 +116,7 @@ This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “ - **Service ID** \[Type = SID\]**:** SID of the service account in the Kerberos Realm to which TGT request was sent. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. - Domain controllers have a specific service account (**krbtgt**) that is used by the [Key Distribution Center](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378170(v=vs.85).aspx) (KDC) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S-1-5-21-[DOMAIN\_IDENTIFIER](https://technet.microsoft.com/en-us/library/cc962011.aspx)-502. + Domain controllers have a specific service account (**krbtgt**) that is used by the [Key Distribution Center](https://msdn.microsoft.com/library/windows/desktop/aa378170(v=vs.85).aspx) (KDC) service to issue Kerberos tickets. It has a built-in, pre-defined SID: S-1-5-21-[DOMAIN\_IDENTIFIER](https://technet.microsoft.com/library/cc962011.aspx)-502. - **NULL SID** – this value shows in [4768](event-4768.md) Failure events. @@ -163,8 +163,8 @@ The most common values: | 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. | | 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. | | 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. | -| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | -| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | | 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. | | 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. | | 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. | @@ -184,7 +184,7 @@ The most common values: > Table 2. Kerberos ticket flags. -> **Note**  [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels. +> **Note**  [KILE](https://msdn.microsoft.com/library/cc233855.aspx) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels. - **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event. @@ -268,7 +268,7 @@ The most common values: | 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | -- **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request. +- **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request. ## Table 5. Kerberos Pre-Authentication types. diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index ddc3fc91bd..cfb61706ce 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -159,8 +159,8 @@ The most common values: | 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. | | 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. | | 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. | -| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | -| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | | 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. | | 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. | | 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. | diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md index d1fbaec511..9a6b67f27e 100644 --- a/windows/security/threat-protection/auditing/event-4770.md +++ b/windows/security/threat-protection/auditing/event-4770.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -145,8 +145,8 @@ The most common values: | 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. | | 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. | | 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. | -| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | -| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | | 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. | | 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. | | 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. | diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md index 34add04027..a8c9f97481 100644 --- a/windows/security/threat-protection/auditing/event-4771.md +++ b/windows/security/threat-protection/auditing/event-4771.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -142,8 +142,8 @@ The most common values: | 2 | Forwarded | Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT. | | 3 | Proxiable | (TGT only). Tells the ticket-granting service that it can issue tickets with a network address that differs from the one in the TGT. | | 4 | Proxy | Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. | -| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | -| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/en-us/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 5 | Allow-postdate | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | +| 6 | Postdated | Postdated tickets SHOULD NOT be supported in [KILE](https://msdn.microsoft.com/library/cc233855.aspx) (Microsoft Kerberos Protocol Extension). | | 7 | Invalid | This flag indicates that a ticket is invalid, and it must be validated by the KDC before use. Application servers must reject tickets which have this flag set. | | 8 | Renewable | Used in combination with the End Time and Renew Till fields to cause tickets with long life spans to be renewed at the KDC periodically. | | 9 | Initial | Indicates that a ticket was issued using the authentication service (AS) exchange and not issued based on a TGT. | @@ -171,7 +171,7 @@ The most common values: | 0x17 | KDC\_ERR\_KEY\_EXPIRED | Password has expired—change password to reset | The user’s password has expired. | | 0x18 | KDC\_ERR\_PREAUTH\_FAILED | Pre-authentication information was invalid | The wrong password was provided. | -- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/en-us/library/cc772815(v=ws.10).aspx) type which was used in TGT request. +- **Pre-Authentication Type** \[Type = UnicodeString\]: the code of [pre-Authentication](https://technet.microsoft.com/library/cc772815(v=ws.10).aspx) type which was used in TGT request. ## Table 5. Kerberos Pre-Authentication types. diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md index 3bb2aa354c..cf2e1d5c17 100644 --- a/windows/security/threat-protection/auditing/event-4772.md +++ b/windows/security/threat-protection/auditing/event-4772.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md index 8a65a7df8a..ed5f9bb1a0 100644 --- a/windows/security/threat-protection/auditing/event-4773.md +++ b/windows/security/threat-protection/auditing/event-4773.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md index 65edca2761..e88f833a6c 100644 --- a/windows/security/threat-protection/auditing/event-4774.md +++ b/windows/security/threat-protection/auditing/event-4774.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md index 473697a68f..e257e4610f 100644 --- a/windows/security/threat-protection/auditing/event-4775.md +++ b/windows/security/threat-protection/auditing/event-4775.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md index ef04b9a13e..38e1f7b475 100644 --- a/windows/security/threat-protection/auditing/event-4776.md +++ b/windows/security/threat-protection/auditing/event-4776.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -82,11 +82,11 @@ This event does *not* generate when a domain account logs on locally to a domain ***Field Descriptions:*** -- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) which was used for credential validation. It is always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event. +- **Authentication Package** \[Type = UnicodeString\]: the name of [Authentication Package](https://msdn.microsoft.com/library/windows/desktop/aa374733(v=vs.85).aspx) which was used for credential validation. It is always “**MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0**” for [4776](event-4776.md) event. -> **Note**  **Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721592(v=vs.85).aspx#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt. +> **Note**  **Authentication package** is a DLL that encapsulates the authentication logic used to determine whether to permit a user to log on. [Local Security Authority](https://msdn.microsoft.com/library/windows/desktop/ms721592(v=vs.85).aspx#_security_local_security_authority_gly) (LSA) authenticates a user logon by sending the request to an authentication package. The authentication package then examines the logon information and either authenticates or rejects the user logon attempt. -- **Logon Account** \[Type = UnicodeString\]: the name of the account that had its credentials validated by the **Authentication Package**. Can be user name, computer account name or [well-known security principal](https://support.microsoft.com/en-us/kb/243330) account name. Examples: +- **Logon Account** \[Type = UnicodeString\]: the name of the account that had its credentials validated by the **Authentication Package**. Can be user name, computer account name or [well-known security principal](https://support.microsoft.com/kb/243330) account name. Examples: - User example: dadmin @@ -104,7 +104,7 @@ This event does *not* generate when a domain account logs on locally to a domain |------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 0xC0000064 | The username you typed does not exist. Bad username. | | 0xC000006A | Account logon with misspelled or bad password. | -| 0xC000006D | - Generic logon failure.
    Some of the potential causes for this:
    An invalid username and/or password was used
    [LAN Manager Authentication Level](https://technet.microsoft.com/en-us/library/jj852207.aspx) mismatch between the source and target computers. | +| 0xC000006D | - Generic logon failure.
    Some of the potential causes for this:
    An invalid username and/or password was used
    [LAN Manager Authentication Level](https://technet.microsoft.com/library/jj852207.aspx) mismatch between the source and target computers. | | 0xC000006F | Account logon outside authorized hours. | | 0xC0000070 | Account logon from unauthorized workstation. | | 0xC0000071 | Account logon with expired password. | diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md index ec54750c71..ee412150ee 100644 --- a/windows/security/threat-protection/auditing/event-4777.md +++ b/windows/security/threat-protection/auditing/event-4777.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md index caa301af26..7afcaa3760 100644 --- a/windows/security/threat-protection/auditing/event-4778.md +++ b/windows/security/threat-protection/auditing/event-4778.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true). +This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching). This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example. @@ -82,7 +82,7 @@ This event also generates when user reconnects to virtual host Hyper-V Enhanced - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md index 48da89946f..6d83f5c8ab 100644 --- a/windows/security/threat-protection/auditing/event-4779.md +++ b/windows/security/threat-protection/auditing/event-4779.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true). +This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using [Fast User Switching](https://docs.microsoft.com/windows-hardware/drivers/display/fast-user-switching). This event also generated when user disconnects from virtual host Hyper-V Enhanced Session, for example. @@ -82,7 +82,7 @@ This event also generated when user disconnects from virtual host Hyper-V Enhanc - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md index 26d14f55d5..89773e7c15 100644 --- a/windows/security/threat-protection/auditing/event-4780.md +++ b/windows/security/threat-protection/auditing/event-4780.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. +Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](https://technet.microsoft.com/magazine/2009.09.sdadminholder.aspx) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated. For some reason, this event doesn’t generate on some OS versions. diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md index be9c51ab52..1d71424cb3 100644 --- a/windows/security/threat-protection/auditing/event-4781.md +++ b/windows/security/threat-protection/auditing/event-4781.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -91,7 +91,7 @@ For computer accounts, this event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md index 195c2cf4df..4e508a89cd 100644 --- a/windows/security/threat-protection/auditing/event-4782.md +++ b/windows/security/threat-protection/auditing/event-4782.md @@ -1,16 +1,16 @@ --- -title: 4782(S) The password hash an account was accessed. (Windows 10) -description: Describes security event 4782(S) The password hash an account was accessed. +title: 4782(S) The password hash of an account was accessed. (Windows 10) +description: Describes security event 4782(S) The password hash of an account was accessed. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- -# 4782(S): The password hash an account was accessed. +# 4782(S): The password hash of an account was accessed. **Applies to** - Windows 10 @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/en-us/library/cc974332(v=ws.10).aspx). +This event generates on domain controllers during password migration of an account using [Active Directory Migration Toolkit](https://technet.microsoft.com/library/cc974332(v=ws.10).aspx). Typically **“Subject\\Security ID”** is the SYSTEM account. @@ -108,7 +108,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account. ## Security Monitoring Recommendations -For 4782(S): The password hash an account was accessed. +For 4782(S): The password hash of an account was accessed. - Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change. diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md index b0ac045f2f..51072c8c90 100644 --- a/windows/security/threat-protection/auditing/event-4793.md +++ b/windows/security/threat-protection/auditing/event-4793.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/en-us/library/aa370661(VS.85).aspx) is called. +This event generates each time the [Password Policy Checking API](https://msdn.microsoft.com/library/aa370661(VS.85).aspx) is called. The Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy. @@ -93,7 +93,7 @@ Note that starting with Microsoft SQL Server 2005, the “SQL Server password po - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md index cd85dc1d77..1047c9bc07 100644 --- a/windows/security/threat-protection/auditing/event-4794.md +++ b/windows/security/threat-protection/auditing/event-4794.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ This event generates only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md index c432cb8c08..e30de693a4 100644 --- a/windows/security/threat-protection/auditing/event-4798.md +++ b/windows/security/threat-protection/auditing/event-4798.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -87,7 +87,7 @@ This event generates when a process enumerates a user's security-enabled local g - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md index 1f126c2840..7b7e91aaf4 100644 --- a/windows/security/threat-protection/auditing/event-4799.md +++ b/windows/security/threat-protection/auditing/event-4799.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -89,7 +89,7 @@ This event doesn't generate when group members were enumerated using Active Dire - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md index 1d4ef520e5..a4541ae782 100644 --- a/windows/security/threat-protection/auditing/event-4800.md +++ b/windows/security/threat-protection/auditing/event-4800.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -83,7 +83,7 @@ This event is generated when a workstation was locked. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md index 7681ec1773..607f26fbdb 100644 --- a/windows/security/threat-protection/auditing/event-4801.md +++ b/windows/security/threat-protection/auditing/event-4801.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -83,7 +83,7 @@ This event is generated when workstation was unlocked. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md index f984fd6753..0d1f115deb 100644 --- a/windows/security/threat-protection/auditing/event-4802.md +++ b/windows/security/threat-protection/auditing/event-4802.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -83,7 +83,7 @@ This event is generated when screen saver was invoked. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md index f857dd4f57..f881297561 100644 --- a/windows/security/threat-protection/auditing/event-4803.md +++ b/windows/security/threat-protection/auditing/event-4803.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -83,7 +83,7 @@ This event is generated when screen saver was dismissed. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md index 1166587fae..fee398f114 100644 --- a/windows/security/threat-protection/auditing/event-4816.md +++ b/windows/security/threat-protection/auditing/event-4816.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index ce42488f86..05046dac27 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/en-us/library/dd772630(v=ws.10).aspx) policy is changed on a computer. +This event generates when the [Global Object Access Auditing](https://technet.microsoft.com/library/dd772630(v=ws.10).aspx) policy is changed on a computer. Separate events will be generated for “Registry” and “File system” policy changes. @@ -89,7 +89,7 @@ Separate events will be generated for “Registry” and “File system” polic - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -236,7 +236,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md index 147dee2f2b..73099eb01b 100644 --- a/windows/security/threat-protection/auditing/event-4818.md +++ b/windows/security/threat-protection/auditing/event-4818.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy. +This event generates when Dynamic Access Control Proposed [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) is enabled and access was not granted by Proposed Central Access Policy. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -90,7 +90,7 @@ This event generates when Dynamic Access Control Proposed [Central Access Policy - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -146,7 +146,7 @@ The possible REQUESTED\_ACCESS values are listed in the table below. | AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
    **AddSubdirectory -** For a directory, the right to create a subdirectory.
    **CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA | 0x8 | The right to read extended file attributes. | | WriteEA | 0x10 | The right to write extended file attributes. | -| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | | DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80 | The right to read file attributes. | | WriteAttributes | 0x100 | The right to write file attributes. | @@ -192,7 +192,7 @@ The possible REQUESTED\_ACCESS values are listed in the table below: | AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
    **AddSubdirectory -** For a directory, the right to create a subdirectory.
    **CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA | 0x8 | The right to read extended file attributes. | | WriteEA | 0x10 | The right to write extended file attributes. | -| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| Execute/Traverse | 0x20 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | | DeleteChild | 0x40 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80 | The right to read file attributes. | | WriteAttributes | 0x100 | The right to write file attributes. | diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md index 6b7f2516b5..2c1ffb5de8 100644 --- a/windows/security/threat-protection/auditing/event-4819.md +++ b/windows/security/threat-protection/auditing/event-4819.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,9 +23,9 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on the machine have been changed. +This event generates when [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) on the machine have been changed. -For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) was applied to the machine via Group Policy. +For example, it generates when a new [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) was applied to the machine via Group Policy. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -90,7 +90,7 @@ For example, it generates when a new [Central Access Policy](https://technet.mic - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md index d3a1cf34e3..6445cea21f 100644 --- a/windows/security/threat-protection/auditing/event-4826.md +++ b/windows/security/threat-protection/auditing/event-4826.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings. +This event generates every time system starts and load current [Boot Configuration Data](https://msdn.microsoft.com/library/windows/hardware/dn653287(v=vs.85).aspx) (BCD) settings. This event is always logged regardless of the "Audit Other Policy Change Events" sub-category setting. @@ -102,15 +102,15 @@ This event is always logged regardless of the "Audit Other Policy Change Events" - **System Event Logging** \[Type = UnicodeString\]**:** there is no information about this field in this document. -- **Kernel Debugging** \[Type = UnicodeString\]**:** shows whether Windows [kernel debugging](https://msdn.microsoft.com/en-us/library/windows/hardware/ff542191(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can enable kernel debugging using “bcdedit /debug on” command. +- **Kernel Debugging** \[Type = UnicodeString\]**:** shows whether Windows [kernel debugging](https://msdn.microsoft.com/library/windows/hardware/ff542191(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can enable kernel debugging using “bcdedit /debug on” command. - **VSM Launch Type** \[Type = UnicodeString\]**:** there is no information about this field in this document. **Signature Settings:** -- **Test Signing** \[Type = UnicodeString\]**:** shows whether Windows [test signing](https://msdn.microsoft.com/en-us/library/windows/hardware/dn653559(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can disable test signing using “bcdedit /set testsigning off” command. +- **Test Signing** \[Type = UnicodeString\]**:** shows whether Windows [test signing](https://msdn.microsoft.com/library/windows/hardware/dn653559(v=vs.85).aspx) is enabled or not (**Yes** or **No**). You can disable test signing using “bcdedit /set testsigning off” command. -> **Note**  This parameter controls whether Windows 8.1, Windows 8, Windows 7, Windows Server 2008, or Windows Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers on 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Server 2008, and Windows Vista will not load by default. After you run the BCDEdit command, restart the computer so that the change takes effect. For more information, see [Introduction to Test-Signing](https://msdn.microsoft.com/en-us/library/windows/hardware/ff547660(v=vs.85).aspx). +> **Note**  This parameter controls whether Windows 8.1, Windows 8, Windows 7, Windows Server 2008, or Windows Vista will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers on 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Server 2008, and Windows Vista will not load by default. After you run the BCDEdit command, restart the computer so that the change takes effect. For more information, see [Introduction to Test-Signing](https://msdn.microsoft.com/library/windows/hardware/ff547660(v=vs.85).aspx). - **Flight Signing** \[Type = UnicodeString\]**:** shows whether Windows flight signing (which allows flight-signed code signing certificates) is enabled or not (**Yes** or **No**). You can disable flight signing using “bcdedit /set flightsigning off” command. @@ -118,11 +118,11 @@ This event is always logged regardless of the "Audit Other Policy Change Events" **HyperVisor Settings:** -- **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: . +- **HyperVisor Load Options** \[Type = UnicodeString\]**:** shows hypervisor **loadoptions**. See more information here: . -- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/en-us/library/windows/hardware/ff538138(v=vs.85).aspx). Information about [Hyper-V](https://go.microsoft.com/fwlink/p/?linkid=271817) technology is available on Microsoft TechNet web site. +- **HyperVisor Launch Type** \[Type = UnicodeString\]**:** shows the hypervisor launch options (**Off** or **Auto**). If you are setting up a debugger to debug Hyper-V on a target computer, set this option to **Auto** on the target computer. For more information, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx). Information about [Hyper-V](https://go.microsoft.com/fwlink/p/?linkid=271817) technology is available on Microsoft TechNet web site. -- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/en-us/library/windows/hardware/ff538138(v=vs.85).aspx). +- **HyperVisor Debugging** \[Type = UnicodeString\]**:** shows whether the hypervisor debugger is enabled or not (**Yes** or **No**). For information about hypervisor debugging, see [Attaching to a Target Computer Running Hyper-V](https://msdn.microsoft.com/library/windows/hardware/ff538138(v=vs.85).aspx). ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index a4729e4103..0417800a87 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md index 843d1542b6..e05a7fd7bb 100644 --- a/windows/security/threat-protection/auditing/event-4865.md +++ b/windows/security/threat-protection/auditing/event-4865.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -93,7 +93,7 @@ This event is generated only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -117,8 +117,8 @@ This event is generated only on domain controllers. | Value | Type Name | Description | |-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx) | -| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx). | +| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/library/cc234258.aspx) | +| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/library/cc234258.aspx). | | 2 | ForestTrustDomainInfo | This field specifies a record containing identification and name information | - **Flags** \[Type = UInt32\]: The following table specifies the possible flags. diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md index bf32d2daa5..b9a4f3ba8d 100644 --- a/windows/security/threat-protection/auditing/event-4866.md +++ b/windows/security/threat-protection/auditing/event-4866.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -93,7 +93,7 @@ This event is generated only on domain controllers. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -117,8 +117,8 @@ This event is generated only on domain controllers. | Value | Type Name | Description | |-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx) | -| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx). | +| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/library/cc234258.aspx) | +| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/library/cc234258.aspx). | | 2 | ForestTrustDomainInfo | This field specifies a record containing identification and name information | - **Flags** \[Type = UInt32\]: The following table specifies the possible flags. diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md index cc0c449a75..bd74436a73 100644 --- a/windows/security/threat-protection/auditing/event-4867.md +++ b/windows/security/threat-protection/auditing/event-4867.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -95,7 +95,7 @@ This event contains new values only, it doesn’t contains old values and it doe - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -119,8 +119,8 @@ This event contains new values only, it doesn’t contains old values and it doe | Value | Type Name | Description | |-------|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/en-us/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx) | -| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/en-us/library/cc234258.aspx). | +| 0 | ForestTrustTopLevelName | The [DNS name](https://msdn.microsoft.com/library/cc234227.aspx#gt_102a36e2-f66f-49e2-bee3-558736b2ecd5) of the [trusted forest](https://msdn.microsoft.com/library/cc234227.aspx#gt_3b76a71f-9697-4836-9c69-09899b23c21b). The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/library/cc234258.aspx) | +| 1 | ForestTrustTopLevelNameEx | This type commonly used for name suffix exceptions. The structure used for this record type is equivalent to [LSA\_UNICODE\_STRING](https://msdn.microsoft.com/library/cc234258.aspx). | | 2 | ForestTrustDomainInfo | This field specifies a record containing identification and name information | - **Flags** \[Type = UInt32\]: The following table specifies the possible flags. diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md index 9a59309492..ad1d71cdae 100644 --- a/windows/security/threat-protection/auditing/event-4902.md +++ b/windows/security/threat-protection/auditing/event-4902.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md index c529ad4a45..66aa826430 100644 --- a/windows/security/threat-protection/auditing/event-4904.md +++ b/windows/security/threat-protection/auditing/event-4904.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time a new [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is registered. +This event generates every time a new [security event source](https://msdn.microsoft.com/library/windows/desktop/aa363661(v=vs.85).aspx) is registered. You can typically see this event during system startup, if specific roles (Internet Information Services, for example) are installed in the system. @@ -88,7 +88,7 @@ You can typically see this event during system startup, if specific roles (Inter - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md index 5cdb7f8d3c..7af5c4b24e 100644 --- a/windows/security/threat-protection/auditing/event-4905.md +++ b/windows/security/threat-protection/auditing/event-4905.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time a [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) is unregistered. +This event generates every time a [security event source](https://msdn.microsoft.com/library/windows/desktop/aa363661(v=vs.85).aspx) is unregistered. You typically see this event if specific roles were removed, for example, Internet Information Services. @@ -88,7 +88,7 @@ You typically see this event if specific roles were removed, for example, Intern - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md index 7ad2014e0c..ab54b7b26d 100644 --- a/windows/security/threat-protection/auditing/event-4906.md +++ b/windows/security/threat-protection/auditing/event-4906.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -27,7 +27,7 @@ This event generates every time **CrashOnAuditFail** audit flag value was modifi This event is always logged regardless of the "Audit Policy Change" sub-category setting. -More information about **CrashOnAuditFail** flag can be found [here](https://technet.microsoft.com/en-us/library/cc963220.aspx). +More information about **CrashOnAuditFail** flag can be found [here](https://technet.microsoft.com/library/cc963220.aspx). > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index bd687db23f..973763ef55 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) of an object (for example, a registry key or file) was changed. +This event generates when the [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) of an object (for example, a registry key or file) was changed. This event doesn't generate for Active Directory objects. @@ -92,7 +92,7 @@ This event doesn't generate for Active Directory objects. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -117,7 +117,7 @@ This event doesn't generate for Active Directory objects. | Job | Port | FilterConnectionPort | | | ALPC Port | Semaphore | Adapter | | -- **Object Name** \[Type = UnicodeString\]: full path and name of the object for which the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was modified. Depends on **Object Type**. Here are some examples: +- **Object Name** \[Type = UnicodeString\]: full path and name of the object for which the [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) was modified. Depends on **Object Type**. Here are some examples: - The format for **Object Type** = “Key” is: \\REGISTRY\\HIVE\\PATH where: @@ -135,13 +135,13 @@ This event doesn't generate for Active Directory objects. - PATH – path to the registry key. - - The format for **Object Type** = “File” is: full path and name of the file or folder for which [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was modified. + - The format for **Object Type** = “File” is: full path and name of the file or folder for which [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) was modified. - **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” Event for registry keys or with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” Event for file system objects. This parameter might not be captured in the event, and in that case appears as “0x0”. **Process Information:** -- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): +- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) was changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): Task manager illustration @@ -267,7 +267,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md index 91100cee21..b43367180a 100644 --- a/windows/security/threat-protection/auditing/event-4908.md +++ b/windows/security/threat-protection/auditing/event-4908.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -33,7 +33,7 @@ More information about Special Groups auditing can be found here: - + > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md index 02c3e26b35..a5cac875fe 100644 --- a/windows/security/threat-protection/auditing/event-4909.md +++ b/windows/security/threat-protection/auditing/event-4909.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md index fcf06907b2..caae02d594 100644 --- a/windows/security/threat-protection/auditing/event-4910.md +++ b/windows/security/threat-protection/auditing/event-4910.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index a613fe1a37..e23d75e43c 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -92,7 +92,7 @@ Resource attributes for file or folder can be changed, for example, using Window - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -260,7 +260,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md index 87d587596b..9c8b90a244 100644 --- a/windows/security/threat-protection/auditing/event-4912.md +++ b/windows/security/threat-protection/auditing/event-4912.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -89,7 +89,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 8c3d47db80..dffc456a95 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,9 +23,9 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when a [Central Access Policy](https://technet.microsoft.com/en-us/library/hh831425.aspx) on a file system object is changed. +This event generates when a [Central Access Policy](https://technet.microsoft.com/library/hh831425.aspx) on a file system object is changed. -This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. +This event always generates, regardless of the object’s [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx) settings. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -92,7 +92,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -264,7 +264,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 615d55926f..7277df2383 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -94,11 +94,11 @@ Failure event generates if an error occurs (**Status Code** != 0). > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. -- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx). +- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx). Directory Replication Service options in AD Sites and Services -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index f1e2e9044a..89a6c4bdcd 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -94,9 +94,9 @@ Failure event generates if an error occurs (**Status Code** != 0). > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. -- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx). +- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index 7063936812..c8673aa1f5 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -96,9 +96,9 @@ It is not possible to understand what exactly was modified from this event. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. -- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx). +- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index ef59fb97f9..e013a1f379 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -96,9 +96,9 @@ It is not possible to understand what exactly was modified from this event. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. -- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx). +- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md index 40f8fe939a..259181c5fa 100644 --- a/windows/security/threat-protection/auditing/event-4932.md +++ b/windows/security/threat-protection/auditing/event-4932.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -90,7 +90,7 @@ This event generates every time synchronization of a replica of an Active Direct > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. -- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx). +- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx). - **Session ID** \[Type = UInt32\]**:** unique identifier of replication session. Using this field you can find “[4932](event-4932.md): Synchronization of a replica of an Active Directory naming context has begun.” and “[4933](event-4933.md): Synchronization of a replica of an Active Directory naming context has ended.” events for the same session. diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md index f1097f928f..544b20789b 100644 --- a/windows/security/threat-protection/auditing/event-4933.md +++ b/windows/security/threat-protection/auditing/event-4933.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -93,7 +93,7 @@ Failure event occurs when synchronization of a replica of an Active Directory na > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. -- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/en-us/library/cc228477.aspx). +- **Options** \[Type = UInt32\]: decimal value of [DRS Options](https://msdn.microsoft.com/library/cc228477.aspx). - **Session ID** \[Type = UInt32\]**:** unique identifier of replication session. Using this field you can find “[4932](event-4932.md): Synchronization of a replica of an Active Directory naming context has begun.” and “[4933](event-4933.md): Synchronization of a replica of an Active Directory naming context has ended.” events for the same session. @@ -101,7 +101,7 @@ Failure event occurs when synchronization of a replica of an Active Directory na > **Note**  Active Directory replication does not depend on time to determine what changes need to be propagated. It relies instead on the use of **update sequence numbers (USNs)** that are assigned by a counter that is local to each domain controller. Because these USN counters are local, it is easy to ensure that they are reliable and never "run backward" (that is, decrease in value). The trade-off is that it is meaningless to compare a USN assigned on one domain controller to a USN assigned on a different domain controller. The replication system is designed with this restriction in mind. -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be “**0**”. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be “**0**”. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md index 7df893eab6..afc657cfe7 100644 --- a/windows/security/threat-protection/auditing/event-4934.md +++ b/windows/security/threat-protection/auditing/event-4934.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md index d29e4f36f5..a666ac4295 100644 --- a/windows/security/threat-protection/auditing/event-4935.md +++ b/windows/security/threat-protection/auditing/event-4935.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md index 92b3e6caf5..2541043735 100644 --- a/windows/security/threat-protection/auditing/event-4936.md +++ b/windows/security/threat-protection/auditing/event-4936.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md index 2b02731d51..46e39eac12 100644 --- a/windows/security/threat-protection/auditing/event-4937.md +++ b/windows/security/threat-protection/auditing/event-4937.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates when a [lingering object](https://support.microsoft.com/en-us/kb/910205) was removed from a replica. +This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md index b4169b5915..c3b5d2b822 100644 --- a/windows/security/threat-protection/auditing/event-4944.md +++ b/windows/security/threat-protection/auditing/event-4944.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -83,7 +83,7 @@ This event shows Windows Firewall settings that were in effect when the Windows Windows Firewall set to Off illustration -**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/en-us/library/cc738900(v=ws.10).aspx)” Group Policy. +**Allow Remote Administration** \[Type = UnicodeString\]: looks like this setting is connected to ”[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/library/cc738900(v=ws.10).aspx)” Group Policy setting, but it is always Disabled, no matter which option is set for “[Windows Firewall: Allow remote administration exception](https://technet.microsoft.com/library/cc738900(v=ws.10).aspx)” Group Policy. **Allow Unicast Responses to Multicast/Broadcast Traffic** \[Type = UnicodeString\]: diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index c759afa1e6..eba8ccd671 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 9c67d305e2..21b7061a9b 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md index bb9a592ca3..3c43a64cd2 100644 --- a/windows/security/threat-protection/auditing/event-4947.md +++ b/windows/security/threat-protection/auditing/event-4947.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 2a8a1a7a9a..6ab7f16f7f 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md index 0454afa9ca..af8020bcfa 100644 --- a/windows/security/threat-protection/auditing/event-4949.md +++ b/windows/security/threat-protection/auditing/event-4949.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index fd666fc369..86b013392c 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index a83b9f12c9..d9e05e9505 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md index dfa3de4c4f..32dc73cc6e 100644 --- a/windows/security/threat-protection/auditing/event-4952.md +++ b/windows/security/threat-protection/auditing/event-4952.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index d74e0ac560..0835e66b51 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md index 91e3c4833d..743878ab0f 100644 --- a/windows/security/threat-protection/auditing/event-4954.md +++ b/windows/security/threat-protection/auditing/event-4954.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md index 2c57e4c683..dbdb573ed5 100644 --- a/windows/security/threat-protection/auditing/event-4956.md +++ b/windows/security/threat-protection/auditing/event-4956.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 135f54ed60..d9684e4ba7 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index e04a7c576b..bb6d247e38 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md index 64d80d5bd4..ba05f4c402 100644 --- a/windows/security/threat-protection/auditing/event-4964.md +++ b/windows/security/threat-protection/auditing/event-4964.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -111,7 +111,7 @@ This event occurs when an account that is a member of any defined [Special Group - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -139,7 +139,7 @@ This event occurs when an account that is a member of any defined [Special Group - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md index b5ae0e52fc..e1671b024a 100644 --- a/windows/security/threat-protection/auditing/event-4985.md +++ b/windows/security/threat-protection/auditing/event-4985.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx). +This is an informational event from file system [Transaction Manager](https://msdn.microsoft.com/library/windows/desktop/aa366385(v=vs.85).aspx). > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -87,7 +87,7 @@ This is an informational event from file system [Transaction Manager](https://ms - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -95,13 +95,13 @@ This is an informational event from file system [Transaction Manager](https://ms **Transaction Information:** -- **RM Transaction ID** \[Type = GUID\]: unique GUID of the [transaction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366402(v=vs.85).aspx). This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.” +- **RM Transaction ID** \[Type = GUID\]: unique GUID of the [transaction](https://msdn.microsoft.com/library/windows/desktop/aa366402(v=vs.85).aspx). This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.” > **Note**  **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances. -- **New State** \[Type = UInt32\]**:** identifier of the new state of the [transaction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366402(v=vs.85).aspx). +- **New State** \[Type = UInt32\]**:** identifier of the new state of the [transaction](https://msdn.microsoft.com/library/windows/desktop/aa366402(v=vs.85).aspx). -- **Resource Manager** \[Type = GUID\]**:** unique GUID-Identifier of the [Resource Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366356(v=vs.85).aspx) which associated with this [transaction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366402(v=vs.85).aspx). +- **Resource Manager** \[Type = GUID\]**:** unique GUID-Identifier of the [Resource Manager](https://msdn.microsoft.com/library/windows/desktop/aa366356(v=vs.85).aspx) which associated with this [transaction](https://msdn.microsoft.com/library/windows/desktop/aa366402(v=vs.85).aspx). **Process Information:** @@ -119,5 +119,5 @@ This is an informational event from file system [Transaction Manager](https://ms For 4985(S): The state of a transaction has changed. -- This event typically has no security relevance and used for [Transaction Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366385(v=vs.85).aspx) troubleshooting. +- This event typically has no security relevance and used for [Transaction Manager](https://msdn.microsoft.com/library/windows/desktop/aa366385(v=vs.85).aspx) troubleshooting. diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md index 41b9e70214..f1183ce7ac 100644 --- a/windows/security/threat-protection/auditing/event-5024.md +++ b/windows/security/threat-protection/auditing/event-5024.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md index 1fc4d75d56..43d42d9ad6 100644 --- a/windows/security/threat-protection/auditing/event-5025.md +++ b/windows/security/threat-protection/auditing/event-5025.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md index 369785a28c..7a02f1c187 100644 --- a/windows/security/threat-protection/auditing/event-5027.md +++ b/windows/security/threat-protection/auditing/event-5027.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md index 426fabfd91..51c3c3a7aa 100644 --- a/windows/security/threat-protection/auditing/event-5028.md +++ b/windows/security/threat-protection/auditing/event-5028.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md index b406c84f14..cee2e5f678 100644 --- a/windows/security/threat-protection/auditing/event-5029.md +++ b/windows/security/threat-protection/auditing/event-5029.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 48a65fb8f8..4f42988a8c 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index 583721a9fe..b0f14b177b 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,9 +23,9 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx). +This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx). -If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections. +If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) layer, because by default this layer is denying any incoming connections. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md index d15d9f16fa..0a95f4b688 100644 --- a/windows/security/threat-protection/auditing/event-5032.md +++ b/windows/security/threat-protection/auditing/event-5032.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md index 75109ef8f3..9c05c9b919 100644 --- a/windows/security/threat-protection/auditing/event-5033.md +++ b/windows/security/threat-protection/auditing/event-5033.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md index 0ccd247148..d45008ad7a 100644 --- a/windows/security/threat-protection/auditing/event-5034.md +++ b/windows/security/threat-protection/auditing/event-5034.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md index 175e4aadec..d7897db3b0 100644 --- a/windows/security/threat-protection/auditing/event-5035.md +++ b/windows/security/threat-protection/auditing/event-5035.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md index bf4911fb3e..6f2c76bbc8 100644 --- a/windows/security/threat-protection/auditing/event-5037.md +++ b/windows/security/threat-protection/auditing/event-5037.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 3e6b0fb302..90141b7968 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -19,7 +19,7 @@ ms.date: 04/19/2017 The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. -This event generates by [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) feature, if signature of a file is not valid. +This event generates by [Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) feature, if signature of a file is not valid. Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 7b1ba2e281..b32498cbac 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 73f82089f2..b979c83969 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index be7ee92421..6022e87752 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -21,9 +21,9 @@ This event generates in CNG Self-Test function. This is a Cryptographic Next Gen For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- -- +- - diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 55f1edb854..55b26f70a7 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -21,9 +21,9 @@ This event generates in case of CNG primitive operation failure. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- -- +- - diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index c0b2c17fe8..4ad30887c5 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used: +This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](https://msdn.microsoft.com/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used: - Microsoft Software Key Storage Provider @@ -95,7 +95,7 @@ You can see these events, for example, during certificate renewal or export oper - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md index cc890b0727..c66d058b7b 100644 --- a/windows/security/threat-protection/auditing/event-5059.md +++ b/windows/security/threat-protection/auditing/event-5059.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used: +This event generates when a cryptographic key is exported or imported using a [Key Storage Provider](https://msdn.microsoft.com/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used: - Microsoft Software Key Storage Provider @@ -92,7 +92,7 @@ This event generates when a cryptographic key is exported or imported using a [K - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index be31414e13..bc9429a8bc 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -21,9 +21,9 @@ This event generates in case of CNG verification operation failure. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- -- +- - diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index cbd18c4c2a..8723ff747f 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/en-us/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used: +This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](https://msdn.microsoft.com/library/windows/desktop/bb931355(v=vs.85).aspx) (KSP). This event generates only if one of the following KSPs were used: - Microsoft Software Key Storage Provider @@ -92,7 +92,7 @@ This event generates when a cryptographic operation (open key, create key, creat - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md index 67b9d5b4e3..7a8d60d333 100644 --- a/windows/security/threat-protection/auditing/event-5062.md +++ b/windows/security/threat-protection/auditing/event-5062.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index b5a82e84e3..e506f106bb 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ This event generates when cryptographic provider was registered or unregistered. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 5ee606581a..69323aa545 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,13 +17,13 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates in [BCryptCreateContext](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375381(v=vs.85).aspx)() and [BCryptDeleteContext](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375392(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptCreateContext](https://msdn.microsoft.com/library/windows/desktop/aa375381(v=vs.85).aspx)() and [BCryptDeleteContext](https://msdn.microsoft.com/library/windows/desktop/aa375392(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic context was created or deleted. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index ee4fae206d..1dee2151ae 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ This event generates when configuration information was changed for existing CNG For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index c37391a6df..726f892d54 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,13 +17,13 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates in [BCryptAddContextFunction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375360(v=vs.85).aspx)() and [BCryptRemoveContextFunction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375492(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptAddContextFunction](https://msdn.microsoft.com/library/windows/desktop/aa375360(v=vs.85).aspx)() and [BCryptRemoveContextFunction](https://msdn.microsoft.com/library/windows/desktop/aa375492(v=vs.85).aspx)() functions. These are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 4928e743c7..ddcb18eaa4 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,13 +17,13 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates in [BCryptConfigureContextFunction](https://msdn.microsoft.com/en-us/library/windows/desktop/aa375380(v=vs.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContextFunction](https://msdn.microsoft.com/library/windows/desktop/aa375380(v=vs.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function. This event generates when configuration information for the cryptographic function of an existing CNG context was changed. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 45904a6ef7..768e98e5ca 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -21,7 +21,7 @@ This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveConte For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index 6f40c2d61f..df7796c8f1 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,13 +17,13 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/en-us/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was added or removed. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md index dde6756a49..00f58219d3 100644 --- a/windows/security/threat-protection/auditing/event-5070.md +++ b/windows/security/threat-protection/auditing/event-5070.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,13 +17,13 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/en-us/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](https://msdn.microsoft.com/library/windows/desktop/Aa375501(v=VS.85).aspx)() function. This is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was updated. For more information about Cryptographic Next Generation (CNG) visit these pages: -- +- - diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md index ac81516d45..82424142eb 100644 --- a/windows/security/threat-protection/auditing/event-5136.md +++ b/windows/security/threat-protection/auditing/event-5136.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time an Active Directory object is modified. -To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes. +To generate this event, the modified object must have an appropriate entry in [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Write”** action auditing for specific attributes. For a change operation you will typically see two 5136 events for one action, with different **Operation\\Type** fields: “Value Deleted” and then “Value Added”. “Value Deleted” event typically contains previous value and “Value Added” event contains new value. @@ -97,7 +97,7 @@ For a change operation you will typically see two 5136 events for one action, wi - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -173,13 +173,13 @@ For a change operation you will typically see two 5136 events for one action, wi - groupPolicyContainer – for group policy objects. - For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: ) and navigate to **Active Directory Schema\\Classes**. Or use this document: + For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: ) and navigate to **Active Directory Schema\\Classes**. Or use this document: **Attribute:** - **LDAP Display Name** \[Type = UnicodeString\]**:** the object attribute that was modified. -> **Note**  [LDAP Display Name](https://msdn.microsoft.com/en-us/library/ms676828(v=vs.85).aspx) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol. +> **Note**  [LDAP Display Name](https://msdn.microsoft.com/library/ms676828(v=vs.85).aspx) is the name used by LDAP clients, such as the ADSI LDAP provider, to read and write the attribute by using the LDAP protocol. - **Syntax (OID)** \[Type = UnicodeString\]**:** The syntax for an attribute defines the storage representation, byte ordering, and matching rules for comparisons of property types. Whether the attribute value must be a string, a number, or a unit of time is also defined. Every attribute of every object is associated with exactly one syntax. The syntaxes are not represented as objects in the schema, but they are programmed to be understood by Active Directory. The allowable syntaxes in Active Directory are predefined. diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md index 68e3c16bf6..4dd192ede6 100644 --- a/windows/security/threat-protection/auditing/event-5137.md +++ b/windows/security/threat-protection/auditing/event-5137.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time an Active Directory object is created. -This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit. +This event only generates if the parent object has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action auditing for the organizational unit. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,7 +91,7 @@ This event only generates if the parent object has a particular entry in its [SA - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -165,7 +165,7 @@ This event only generates if the parent object has a particular entry in its [SA - groupPolicyContainer – for group policy objects. - For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: + For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: **Operation:** diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md index 8f8025411c..78b36ff6bd 100644 --- a/windows/security/threat-protection/auditing/event-5138.md +++ b/windows/security/threat-protection/auditing/event-5138.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,9 +23,9 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx). +This event generates every time an Active Directory object is undeleted. It happens, for example, when an Active Directory object was restored from the [Active Directory Recycle Bin](https://technet.microsoft.com/library/dd392261(v=ws.10).aspx). -This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action. +This event only generates if the container to which the Active Directory object was restored has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create User objects**” action. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -92,7 +92,7 @@ This event only generates if the container to which the Active Directory object - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -106,7 +106,7 @@ This event only generates if the container to which the Active Directory object **Object:** -- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx) folder, in case if it was restored from it. +- **Old DN** \[Type = UnicodeString\]: Old distinguished name of undeleted object. It will points to [Active Directory Recycle Bin](https://technet.microsoft.com/library/dd392261(v=ws.10).aspx) folder, in case if it was restored from it. > **Note**  The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas. @@ -168,7 +168,7 @@ This event only generates if the container to which the Active Directory object - groupPolicyContainer – for group policy objects. - For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: + For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: **Operation:** diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md index b949968635..c7470c1266 100644 --- a/windows/security/threat-protection/auditing/event-5139.md +++ b/windows/security/threat-protection/auditing/event-5139.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time an Active Directory object is moved. -This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit. +This event only generates if the destination object has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Create**” action, auditing for specific classes or objects. An example is the “**Create Computer objects**” action, auditing for the organizational unit. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -92,7 +92,7 @@ This event only generates if the destination object has a particular entry in it - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -168,7 +168,7 @@ This event only generates if the destination object has a particular entry in it - groupPolicyContainer – for group policy objects. - For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: + For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: **Operation:** diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md index aa0ea5013d..41cb02b044 100644 --- a/windows/security/threat-protection/auditing/event-5140.md +++ b/windows/security/threat-protection/auditing/event-5140.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -93,7 +93,7 @@ This event generates once per session, when first access attempt was made. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md index d1a8d52a18..2fa6239fc2 100644 --- a/windows/security/threat-protection/auditing/event-5141.md +++ b/windows/security/threat-protection/auditing/event-5141.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time an Active Directory object is deleted. -This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects. +This event only generates if the deleted object has a particular entry in its [SACL](https://msdn.microsoft.com/library/windows/desktop/aa374872(v=vs.85).aspx): the “**Delete”** action, auditing for specific objects. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -92,7 +92,7 @@ This event only generates if the deleted object has a particular entry in its [S - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -168,7 +168,7 @@ This event only generates if the deleted object has a particular entry in its [S - groupPolicyContainer – for group policy objects. - For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: + For all possible values of this field open Active Directory Schema snap-in (see how to enable this snap-in: and navigate to **Active Directory Schema\\Classes**. Or use this document: **Operation:** diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md index e031fd9dbd..a208af1049 100644 --- a/windows/security/threat-protection/auditing/event-5142.md +++ b/windows/security/threat-protection/auditing/event-5142.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time network share object was added. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 999f6f9f93..dbddd02ca3 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -93,7 +93,7 @@ This event generates every time network share object was modified. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -249,7 +249,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md index 905774bf44..c9da3d4b18 100644 --- a/windows/security/threat-protection/auditing/event-5144.md +++ b/windows/security/threat-protection/auditing/event-5144.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -84,7 +84,7 @@ This event generates every time a network share object is deleted. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index ec8421bf74..ce6a43ab61 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -93,7 +93,7 @@ This event generates every time network share object (file or folder) was access - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -148,7 +148,7 @@ This event generates every time network share object (file or folder) was access | AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,
    %%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**).
    **AddSubdirectory -** For a directory, the right to create a subdirectory.
    **CreatePipeInstance -** For a named pipe, the right to create a pipe. | | ReadEA | 0x8,
    %%4419 | The right to read extended file attributes. | | WriteEA | 0x10,
    %%4420 | The right to write extended file attributes. | -| Execute/Traverse | 0x20,
    %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | +| Execute/Traverse | 0x20,
    %%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.
    **Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**  [privilege](https://msdn.microsoft.com/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**  [access right](https://msdn.microsoft.com/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. | | DeleteChild | 0x40,
    %%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. | | ReadAttributes | 0x80,
    %%4423 | The right to read file attributes. | | WriteAttributes | 0x100,
    %%4424 | The right to write file attributes. | @@ -287,7 +287,7 @@ Example: D:(A;;FA;;;WD) - inherit\_object\_guid: N/A - account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. -For more information about SDDL syntax, see these articles: , . +For more information about SDDL syntax, see these articles: , . ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md index c4461e26a3..602cf56f41 100644 --- a/windows/security/threat-protection/auditing/event-5148.md +++ b/windows/security/threat-protection/auditing/event-5148.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 05/29/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md index 08039b5ca0..991095fcd1 100644 --- a/windows/security/threat-protection/auditing/event-5149.md +++ b/windows/security/threat-protection/auditing/event-5149.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 05/29/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 3afbcf26df..79d3862213 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event is logged if the Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/en-us/library/windows/hardware/hh440262(v=vs.85).aspx) blocked a packet. +This event is logged if the Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/library/windows/hardware/hh440262(v=vs.85).aspx) blocked a packet. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 4864a283c9..64981f1412 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -This event is logged if a more restrictive Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/en-us/library/windows/hardware/hh440262(v=vs.85).aspx) has blocked a packet. +This event is logged if a more restrictive Windows Filtering Platform [MAC filter](https://msdn.microsoft.com/library/windows/hardware/hh440262(v=vs.85).aspx) has blocked a packet. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md index 154a62f07a..1b251bea6d 100644 --- a/windows/security/threat-protection/auditing/event-5152.md +++ b/windows/security/threat-protection/auditing/event-5152.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet. +This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a network packet. This event is generated for every received network packet. @@ -155,7 +155,7 @@ This event is generated for every received network packet. Filters.xml file illustration -- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md index ffd21c1282..f2bb576647 100644 --- a/windows/security/threat-protection/auditing/event-5153.md +++ b/windows/security/threat-protection/auditing/event-5153.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md index 9dd278c6a8..b9c8ebee04 100644 --- a/windows/security/threat-protection/auditing/event-5154.md +++ b/windows/security/threat-protection/auditing/event-5154.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port. +This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to listen on a port. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -108,7 +108,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros - 17 – UDP. - More information about possible values for this field: . + More information about possible values for this field: . **Filter Information:** @@ -118,7 +118,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros Filters.xml file illustration -- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md index 8662e186f2..e8b202cf7b 100644 --- a/windows/security/threat-protection/auditing/event-5155.md +++ b/windows/security/threat-protection/auditing/event-5155.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -19,7 +19,7 @@ ms.date: 04/19/2017 By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself. -You can add your own filters using the WFP APIs to block listen to reproduce this event: . +You can add your own filters using the WFP APIs to block listen to reproduce this event: . There is no event example in this document. diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md index bfeaa865c2..d83a403ec4 100644 --- a/windows/security/threat-protection/auditing/event-5156.md +++ b/windows/security/threat-protection/auditing/event-5156.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection. +This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) has allowed a connection. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -155,7 +155,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co Filters.xml file illustration -- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md index 6b91edfeb0..c2c38a5c86 100644 --- a/windows/security/threat-protection/auditing/event-5157.md +++ b/windows/security/threat-protection/auditing/event-5157.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection. +This event generates when [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) has blocked a connection. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -155,7 +155,7 @@ This event generates when [Windows Filtering Platform](https://msdn.microsoft.co Filters.xml file illustration -- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md index d3d62462e1..48e4df3727 100644 --- a/windows/security/threat-protection/auditing/event-5158.md +++ b/windows/security/threat-protection/auditing/event-5158.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port. +This event generates every time [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) permits an application or service to bind to a local port. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -132,7 +132,7 @@ This event generates every time [Windows Filtering Platform](https://msdn.micros Filters.xml file illustration -- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. +- **Layer Name** \[Type = UnicodeString\]: [Application Layer Enforcement](https://msdn.microsoft.com/library/windows/desktop/aa363971(v=vs.85).aspx) layer name. - **Layer Run-Time ID** \[Type = UInt64\]: Windows Filtering Platform layer identifier. To find specific Windows Filtering Platform layer ID you need to execute the following command: **netsh wfp show state**. As result of this command **wfpstate.xml** file will be generated. You need to open this file and find specific substring with required layer ID (**<layerId>**)**,** for example: diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md index 3fdf553811..74fd606119 100644 --- a/windows/security/threat-protection/auditing/event-5159.md +++ b/windows/security/threat-protection/auditing/event-5159.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md index 46f401b3a0..5f00a2ae01 100644 --- a/windows/security/threat-protection/auditing/event-5168.md +++ b/windows/security/threat-protection/auditing/event-5168.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates when SMB SPN check fails. -It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/en-us/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated. +It often happens because of NTLMv1 or LM protocols usage from client side when “[Microsoft Network Server: Server SPN target name validation level](https://technet.microsoft.com/library/jj852272.aspx)” group policy set to “Require from client” on server side. SPN only sent to server when NTLMv2 or Kerberos protocols are used, and after that SPN can be validated. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -89,7 +89,7 @@ It often happens because of NTLMv1 or LM protocols usage from client side when - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -101,7 +101,7 @@ It often happens because of NTLMv1 or LM protocols usage from client side when > **Note**  **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host. -- **Error Code** \[Type = HexInt32\]: hexadecimal error code, for example “0xC0000022” = STATUS\_ACCESS\_DENIED. You can find description for all SMB error codes here: . +- **Error Code** \[Type = HexInt32\]: hexadecimal error code, for example “0xC0000022” = STATUS\_ACCESS\_DENIED. You can find description for all SMB error codes here: . **Server Information**: diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md index 40919244b6..2d4b9b43dd 100644 --- a/windows/security/threat-protection/auditing/event-5376.md +++ b/windows/security/threat-protection/auditing/event-5376.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md index c55060acff..e267dac07b 100644 --- a/windows/security/threat-protection/auditing/event-5377.md +++ b/windows/security/threat-protection/auditing/event-5377.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -86,7 +86,7 @@ This event generates on domain controllers, member servers, and workstations. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md index 47e308e4b7..a66380e893 100644 --- a/windows/security/threat-protection/auditing/event-5378.md +++ b/windows/security/threat-protection/auditing/event-5378.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,9 +23,9 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates requested [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation policy. +This event generates requested [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) credentials delegation was disallowed by [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation policy. -It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/en-us/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/en-us/library/ee309365(v=vs.85).aspx) session was not set properly. +It typically occurs when [CredSSP](https://msdn.microsoft.com/library/cc226764.aspx) delegation for [WinRM](https://msdn.microsoft.com/library/aa384426(v=vs.85).aspx) [double-hop](https://msdn.microsoft.com/library/ee309365(v=vs.85).aspx) session was not set properly. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -88,7 +88,7 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc22 - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -96,9 +96,9 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc22 **Credential Delegation Information:** -- **Security Package** \[Type = UnicodeString\]: the name of [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) which was used. Always **CREDSSP** for this event. +- **Security Package** \[Type = UnicodeString\]: the name of [Security Package](https://msdn.microsoft.com/library/windows/desktop/aa380501(v=vs.85).aspx) which was used. Always **CREDSSP** for this event. -- **User's UPN** \[Type = UnicodeString\]: [UPN](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) of the account for which delegation was requested. +- **User's UPN** \[Type = UnicodeString\]: [UPN](https://msdn.microsoft.com/library/windows/desktop/aa380525(v=vs.85).aspx) of the account for which delegation was requested. - **Target Server** \[Type = UnicodeString\]: SPN of the target service for which delegation was requested. @@ -110,7 +110,7 @@ It typically occurs when [CredSSP](https://msdn.microsoft.com/en-us/library/cc22 |---------------------|---------------------------------------------------------------------------------------------------------------------------------------------| | Default credentials | The credentials obtained when the user first logs on to Windows. | | Fresh credentials | The credentials that the user is prompted for when executing an application. | -| Saved credentials | The credentials that are saved using [Credential Manager](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374792(v=vs.85).aspx). | +| Saved credentials | The credentials that are saved using [Credential Manager](https://msdn.microsoft.com/library/windows/desktop/aa374792(v=vs.85).aspx). | ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md index d946f5bf63..73cabba9b9 100644 --- a/windows/security/threat-protection/auditing/event-5447.md +++ b/windows/security/threat-protection/auditing/event-5447.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed. +This event generates every time a [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510(v=vs.85).aspx) filter has been changed. It typically generates during Group Policy update procedures. diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md index b84d151c2d..3e6b8da62f 100644 --- a/windows/security/threat-protection/auditing/event-5632.md +++ b/windows/security/threat-protection/auditing/event-5632.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wireless network. +This event generates when [802.1x](https://technet.microsoft.com/library/hh831831.aspx) authentication attempt was made for wireless network. It typically generates when network adapter connects to new wireless network. @@ -82,7 +82,7 @@ It typically generates when network adapter connects to new wireless network. - **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) or another type of account identifier for which 802.1x authentication request was made. -> **Note**  [User principal name](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com. +> **Note**  [User principal name](https://msdn.microsoft.com/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com. - **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made. @@ -94,7 +94,7 @@ It typically generates when network adapter connects to new wireless network. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -124,11 +124,11 @@ You can see interface’s GUID using the following commands: **Additional Information:** -- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: , . +- **Reason Code** \[Type = UnicodeString\]**:** contains Reason Text (explanation of Reason Code) and Reason Code for wireless authentication results. See more information about reason codes for wireless authentication here: , . - **Error Code** \[Type = HexInt32\]**:** there is no information about this field in this document. -- **EAP Reason Code** \[Type = HexInt32\]**:** there is no information about this field in this document. See additional information here: . +- **EAP Reason Code** \[Type = HexInt32\]**:** there is no information about this field in this document. See additional information here: . - **EAP Root Cause String** \[Type = UnicodeString\]**:** there is no information about this field in this document. diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md index 7984ff5428..19604e4cc9 100644 --- a/windows/security/threat-protection/auditing/event-5633.md +++ b/windows/security/threat-protection/auditing/event-5633.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when [802.1x](https://technet.microsoft.com/en-us/library/hh831831.aspx) authentication attempt was made for wired network. +This event generates when [802.1x](https://technet.microsoft.com/library/hh831831.aspx) authentication attempt was made for wired network. It typically generates when network adapter connects to new wired network. @@ -76,7 +76,7 @@ It typically generates when network adapter connects to new wired network. - **Security ID** \[Type = UnicodeString\]**:** User Principal Name (UPN) of account for which 802.1x authentication request was made. -> **Note**  [User principal name](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com. +> **Note**  [User principal name](https://msdn.microsoft.com/library/windows/desktop/aa380525(v=vs.85).aspx) (UPN) format is used to specify an Internet-style name, such as UserName@Example.Microsoft.com. - **Account Name** \[Type = UnicodeString\]**:** the name of the account for which 802.1x authentication request was made. @@ -88,7 +88,7 @@ It typically generates when network adapter connects to new wired network. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -102,9 +102,9 @@ It typically generates when network adapter connects to new wired network. **Additional Information:** -- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: , . +- **Reason Code** \[Type = UnicodeString\]: contains Reason Text (explanation of Reason Code) and Reason Code for wired authentication results. See more information about reason codes for wired authentication here: , . -- **Error Code** \[Type = HexInt32\]: unique [EAP error code](https://msdn.microsoft.com/en-us/library/windows/desktop/aa813691(v=vs.85).aspx). +- **Error Code** \[Type = HexInt32\]: unique [EAP error code](https://msdn.microsoft.com/library/windows/desktop/aa813691(v=vs.85).aspx). ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md index 0588eb54be..be757a5bb8 100644 --- a/windows/security/threat-protection/auditing/event-5712.md +++ b/windows/security/threat-protection/auditing/event-5712.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md index 28a9434761..cb9fcf14b6 100644 --- a/windows/security/threat-protection/auditing/event-5888.md +++ b/windows/security/threat-protection/auditing/event-5888.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was modified. +This event generates when the object in [COM+ Catalog](https://msdn.microsoft.com/library/windows/desktop/ms679196(v=vs.85).aspx) was modified. For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory. @@ -87,7 +87,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -99,45 +99,45 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su | Collection | Description | |------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [ApplicationCluster](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. | -| [ApplicationInstances](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. | -| [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. | -| [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. | -| [ComputerList](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. | -| [DCOMProtocols](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. | -| [ErrorInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. | -| [EventClassesForIID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. | -| [FilesForImport](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. | -| [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. | -| [InterfacesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. | -| [LegacyComponents](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. | -| [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. | -| [LocalComputer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. | -| [MethodsForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. | -| [Partitions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. | -| [PartitionUsers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. | -| [PropertyInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. | -| [PublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | -| [RelatedCollectionInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. | -| [Roles](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. | -| [RolesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. | -| [RolesForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. | -| [RolesForMethod](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. | -| [RolesForPartition](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. | -| [Root](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. | -| [SubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | -| [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) collection. | -| [TransientPublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | -| [TransientSubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | -| [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. | -| [UsersInPartitionRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. | -| [UsersInRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. | -| [WOWInprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. | -| [WOWLegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. | +| [ApplicationCluster](https://msdn.microsoft.com/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. | +| [ApplicationInstances](https://msdn.microsoft.com/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. | +| [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. | +| [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. | +| [ComputerList](https://msdn.microsoft.com/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. | +| [DCOMProtocols](https://msdn.microsoft.com/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. | +| [ErrorInfo](https://msdn.microsoft.com/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. | +| [EventClassesForIID](https://msdn.microsoft.com/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. | +| [FilesForImport](https://msdn.microsoft.com/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. | +| [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. | +| [InterfacesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. | +| [LegacyComponents](https://msdn.microsoft.com/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. | +| [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. | +| [LocalComputer](https://msdn.microsoft.com/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. | +| [MethodsForInterface](https://msdn.microsoft.com/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. | +| [Partitions](https://msdn.microsoft.com/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. | +| [PartitionUsers](https://msdn.microsoft.com/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. | +| [PropertyInfo](https://msdn.microsoft.com/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. | +| [PublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | +| [RelatedCollectionInfo](https://msdn.microsoft.com/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. | +| [Roles](https://msdn.microsoft.com/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. | +| [RolesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. | +| [RolesForInterface](https://msdn.microsoft.com/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. | +| [RolesForMethod](https://msdn.microsoft.com/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. | +| [RolesForPartition](https://msdn.microsoft.com/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. | +| [Root](https://msdn.microsoft.com/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. | +| [SubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | +| [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) collection. | +| [TransientPublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | +| [TransientSubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | +| [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. | +| [UsersInPartitionRole](https://msdn.microsoft.com/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. | +| [UsersInRole](https://msdn.microsoft.com/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. | +| [WOWInprocServers](https://msdn.microsoft.com/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. | +| [WOWLegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. | -- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the modified object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that: +- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the modified object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that: - - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection. + - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection. - **AppPartitionID** - A GUID representing the application partition ID. diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md index 180114aff2..17464081a1 100644 --- a/windows/security/threat-protection/auditing/event-5889.md +++ b/windows/security/threat-protection/auditing/event-5889.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted. +This event generates when the object in the [COM+ Catalog](https://msdn.microsoft.com/library/windows/desktop/ms679196(v=vs.85).aspx) was deleted. For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory. @@ -87,7 +87,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -99,45 +99,45 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su | Collection | Description | |------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [ApplicationCluster](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. | -| [ApplicationInstances](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. | -| [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. | -| [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. | -| [ComputerList](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. | -| [DCOMProtocols](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. | -| [ErrorInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. | -| [EventClassesForIID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. | -| [FilesForImport](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. | -| [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. | -| [InterfacesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. | -| [LegacyComponents](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. | -| [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. | -| [LocalComputer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. | -| [MethodsForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. | -| [Partitions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. | -| [PartitionUsers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. | -| [PropertyInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. | -| [PublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | -| [RelatedCollectionInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. | -| [Roles](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. | -| [RolesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. | -| [RolesForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. | -| [RolesForMethod](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. | -| [RolesForPartition](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. | -| [Root](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. | -| [SubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | -| [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) collection. | -| [TransientPublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | -| [TransientSubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | -| [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. | -| [UsersInPartitionRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. | -| [UsersInRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. | -| [WOWInprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. | -| [WOWLegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. | +| [ApplicationCluster](https://msdn.microsoft.com/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. | +| [ApplicationInstances](https://msdn.microsoft.com/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. | +| [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. | +| [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. | +| [ComputerList](https://msdn.microsoft.com/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. | +| [DCOMProtocols](https://msdn.microsoft.com/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. | +| [ErrorInfo](https://msdn.microsoft.com/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. | +| [EventClassesForIID](https://msdn.microsoft.com/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. | +| [FilesForImport](https://msdn.microsoft.com/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. | +| [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. | +| [InterfacesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. | +| [LegacyComponents](https://msdn.microsoft.com/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. | +| [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. | +| [LocalComputer](https://msdn.microsoft.com/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. | +| [MethodsForInterface](https://msdn.microsoft.com/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. | +| [Partitions](https://msdn.microsoft.com/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. | +| [PartitionUsers](https://msdn.microsoft.com/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. | +| [PropertyInfo](https://msdn.microsoft.com/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. | +| [PublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | +| [RelatedCollectionInfo](https://msdn.microsoft.com/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. | +| [Roles](https://msdn.microsoft.com/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. | +| [RolesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. | +| [RolesForInterface](https://msdn.microsoft.com/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. | +| [RolesForMethod](https://msdn.microsoft.com/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. | +| [RolesForPartition](https://msdn.microsoft.com/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. | +| [Root](https://msdn.microsoft.com/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. | +| [SubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | +| [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) collection. | +| [TransientPublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | +| [TransientSubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | +| [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. | +| [UsersInPartitionRole](https://msdn.microsoft.com/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. | +| [UsersInRole](https://msdn.microsoft.com/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. | +| [WOWInprocServers](https://msdn.microsoft.com/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. | +| [WOWLegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. | -- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the deleted object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that: +- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the deleted object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that: - - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection. + - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection. - **AppPartitionID** - A GUID representing the application partition ID. diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md index c9dcc8b7e8..bc95e8cd18 100644 --- a/windows/security/threat-protection/auditing/event-5890.md +++ b/windows/security/threat-protection/auditing/event-5890.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -23,7 +23,7 @@ ms.date: 04/19/2017 ***Event Description:*** -This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679196(v=vs.85).aspx). +This event generates when new object was added to the [COM+ Catalog](https://msdn.microsoft.com/library/windows/desktop/ms679196(v=vs.85).aspx). For some reason this event belongs to [Audit System Integrity](event-5890.md) subcategory, but generation of this event enables in this subcategory. @@ -87,7 +87,7 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. @@ -99,45 +99,45 @@ For some reason this event belongs to [Audit System Integrity](event-5890.md) su | Collection | Description | |------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [ApplicationCluster](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. | -| [ApplicationInstances](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. | -| [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. | -| [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. | -| [ComputerList](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. | -| [DCOMProtocols](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. | -| [ErrorInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. | -| [EventClassesForIID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. | -| [FilesForImport](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. | -| [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. | -| [InterfacesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. | -| [LegacyComponents](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. | -| [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. | -| [LocalComputer](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. | -| [MethodsForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. | -| [Partitions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. | -| [PartitionUsers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. | -| [PropertyInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. | -| [PublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | -| [RelatedCollectionInfo](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. | -| [Roles](https://msdn.microsoft.com/en-us/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. | -| [RolesForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. | -| [RolesForInterface](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. | -| [RolesForMethod](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. | -| [RolesForPartition](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. | -| [Root](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. | -| [SubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | -| [SubscriptionsForComponent](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688285(v=vs.85).aspx) collection. | -| [TransientPublisherProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | -| [TransientSubscriberProperties](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | -| [TransientSubscriptions](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. | -| [UsersInPartitionRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. | -| [UsersInRole](https://msdn.microsoft.com/en-us/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. | -| [WOWInprocServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. | -| [WOWLegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/en-us/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. | +| [ApplicationCluster](https://msdn.microsoft.com/library/windows/desktop/ms683600(v=vs.85).aspx) | Contains a list of the servers in the application cluster. | +| [ApplicationInstances](https://msdn.microsoft.com/library/windows/desktop/ms679173(v=vs.85).aspx) | Contains an object for each instance of a running COM+ application. | +| [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx) | Contains an object for each COM+ application installed on the local computer. | +| [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) | Contains an object for each component in the application to which it is related. | +| [ComputerList](https://msdn.microsoft.com/library/windows/desktop/ms681320(v=vs.85).aspx) | Contains a list of the computers found in the Computers folder of the Component Services administration tool. | +| [DCOMProtocols](https://msdn.microsoft.com/library/windows/desktop/ms688297(v=vs.85).aspx) | Contains a list of the protocols to be used by DCOM. It contains an object for each protocol. | +| [ErrorInfo](https://msdn.microsoft.com/library/windows/desktop/ms686530(v=vs.85).aspx) | Retrieves extended error information regarding methods that deal with multiple objects. | +| [EventClassesForIID](https://msdn.microsoft.com/library/windows/desktop/ms679576(v=vs.85).aspx) | Retrieves information regarding event classes. | +| [FilesForImport](https://msdn.microsoft.com/library/windows/desktop/ms685046(v=vs.85).aspx) | Retrieves information from its MSI file about an application that can be imported. | +| [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system. It contains an object for each component. | +| [InterfacesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687751(v=vs.85).aspx) | Contains an object for each interface exposed by the component to which the collection is related. | +| [LegacyComponents](https://msdn.microsoft.com/library/windows/desktop/ms683616(v=vs.85).aspx) | Contains an object for each unconfigured component in the application to which it is related. | +| [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) | Identical to the [InprocServers](https://msdn.microsoft.com/library/windows/desktop/ms678949(v=vs.85).aspx) collection except that this collection also includes local servers. | +| [LocalComputer](https://msdn.microsoft.com/library/windows/desktop/ms682790(v=vs.85).aspx) | Contains a single object that holds computer level settings information for the computer whose catalog you are accessing. | +| [MethodsForInterface](https://msdn.microsoft.com/library/windows/desktop/ms687595(v=vs.85).aspx) | Contains an object for each method on the interface to which the collection is related. | +| [Partitions](https://msdn.microsoft.com/library/windows/desktop/ms679480(v=vs.85).aspx) | Used to specify the applications contained in each partition. | +| [PartitionUsers](https://msdn.microsoft.com/library/windows/desktop/ms686081(v=vs.85).aspx) | Used to specify the users contained in each partition. | +| [PropertyInfo](https://msdn.microsoft.com/library/windows/desktop/ms681735(v=vs.85).aspx) | Retrieves information about the properties that a specified collection supports. | +| [PublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms682794(v=vs.85).aspx) | Contains an object for each publisher property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | +| [RelatedCollectionInfo](https://msdn.microsoft.com/library/windows/desktop/ms686925(v=vs.85).aspx) | Retrieves information about other collections related to the collection from which it is called. | +| [Roles](https://msdn.microsoft.com/library/windows/desktop/ms683613(v=vs.85).aspx) | Contains an object for each role assigned to the application to which it is related. | +| [RolesForComponent](https://msdn.microsoft.com/library/windows/desktop/ms686119(v=vs.85).aspx) | Contains an object for each role assigned to the component to which the collection is related. | +| [RolesForInterface](https://msdn.microsoft.com/library/windows/desktop/ms688303(v=vs.85).aspx) | Contains an object for each role assigned to the interface to which the collection is related. | +| [RolesForMethod](https://msdn.microsoft.com/library/windows/desktop/ms679943(v=vs.85).aspx) | Contains an object for each role assigned to the method to which the collection is related. | +| [RolesForPartition](https://msdn.microsoft.com/library/windows/desktop/ms681316(v=vs.85).aspx) | Contains an object for each role assigned to the partition to which the collection is related. | +| [Root](https://msdn.microsoft.com/library/windows/desktop/ms682277(v=vs.85).aspx) | Contains the top-level collections on the catalog. | +| [SubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms681611(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) collection. | +| [SubscriptionsForComponent](https://msdn.microsoft.com/library/windows/desktop/ms687726(v=vs.85).aspx) | Contains an object for each subscription for the parent [Components](https://msdn.microsoft.com/library/windows/desktop/ms688285(v=vs.85).aspx) collection. | +| [TransientPublisherProperties](https://msdn.microsoft.com/library/windows/desktop/ms681793(v=vs.85).aspx) | Contains an object for each publisher property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | +| [TransientSubscriberProperties](https://msdn.microsoft.com/library/windows/desktop/ms686051(v=vs.85).aspx) | Contains an object for each subscriber property for the parent [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) collection. | +| [TransientSubscriptions](https://msdn.microsoft.com/library/windows/desktop/ms686100(v=vs.85).aspx) | Contains an object for each transient subscription. | +| [UsersInPartitionRole](https://msdn.microsoft.com/library/windows/desktop/ms686441(v=vs.85).aspx) | Contains an object for each user in the partition role to which the collection is related. | +| [UsersInRole](https://msdn.microsoft.com/library/windows/desktop/ms687622(v=vs.85).aspx) | Contains an object for each user in the role to which the collection is related. | +| [WOWInprocServers](https://msdn.microsoft.com/library/windows/desktop/ms681249(v=vs.85).aspx) | Contains a list of the in-process servers registered with the system for 32-bit components on 64-bit computers. | +| [WOWLegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms682774(v=vs.85).aspx) | Identical to the [LegacyServers](https://msdn.microsoft.com/library/windows/desktop/ms685965(v=vs.85).aspx) collection except that this collection is drawn from the 32-bit registry on 64-bit computers. | -- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the new object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that: +- **Object Name** \[Type = UnicodeString\]: object-specific fields with the names and identifiers for the new object. It depends on **COM+ Catalog Collection** value, for example, if **COM+ Catalog Collection** = [Applications](https://msdn.microsoft.com/library/windows/desktop/ms686107(v=vs.85).aspx), then you can find that: - - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection. + - **ID** - A GUID representing the application. This property is returned when the [Key](https://msdn.microsoft.com/library/windows/desktop/ms679201(v=vs.85).aspx) property method is called on an object of this collection. - **AppPartitionID** - A GUID representing the application partition ID. diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md index 6001c97965..85812bc35a 100644 --- a/windows/security/threat-protection/auditing/event-6144.md +++ b/windows/security/threat-protection/auditing/event-6144.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md index 0c7df89384..37240250e1 100644 --- a/windows/security/threat-protection/auditing/event-6145.md +++ b/windows/security/threat-protection/auditing/event-6145.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -25,7 +25,7 @@ ms.date: 04/19/2017 This event generates every time settings from the “Security Settings” section in the group policy object are applied to a computer with one or more errors. This event generates on the target computer itself. -This event generates, for example, if the [SID](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name. +This event generates, for example, if the [SID](https://msdn.microsoft.com/library/windows/desktop/aa379571(v=vs.85).aspx) of a security principal which was included in one of the Group Policy settings cannot be resolved or translated to the real account name. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -66,7 +66,7 @@ This event generates, for example, if the [SID](https://msdn.microsoft.com/en-us ***Field Descriptions:*** -**Error Code** \[Type = UInt32\]: specific error code which shows the error which happened during Group Policy processing. You can find the meaning of specific error code here: . For example, error code 1332 means that “no mapping between account names and security IDs was done”. +**Error Code** \[Type = UInt32\]: specific error code which shows the error which happened during Group Policy processing. You can find the meaning of specific error code here: . For example, error code 1332 means that “no mapping between account names and security IDs was done”. **GPO List** \[Type = UnicodeString\]: the list of Group Policy Objects that include “Security Settings” policies, and that were applied with errors to the computer. The format of the list item is: “GROUP\_POLICY\_GUID GROUP\_POLICY\_NAME”. diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md index 91740aeefb..1b9a06d330 100644 --- a/windows/security/threat-protection/auditing/event-6281.md +++ b/windows/security/threat-protection/auditing/event-6281.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -19,9 +19,9 @@ ms.date: 04/19/2017 The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error. -[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +[Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -This event generates when [code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error. +This event generates when [code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. This event also generates when signing certificate was revoked. The invalid hashes could indicate a potential disk device error. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index 8846fca660..d3960785be 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index eb91491cd0..0da649b589 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 4a1a25539a..2fcb77675b 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index 28eef92c52..3d31c4ea53 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 2a7e910540..d342600472 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md index 7fc3ad0806..395aec2969 100644 --- a/windows/security/threat-protection/auditing/event-6405.md +++ b/windows/security/threat-protection/auditing/event-6405.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md index 8d55408ad9..7aa27d026a 100644 --- a/windows/security/threat-protection/auditing/event-6406.md +++ b/windows/security/threat-protection/auditing/event-6406.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md index ba34e7a26e..9f67036b36 100644 --- a/windows/security/threat-protection/auditing/event-6407.md +++ b/windows/security/threat-protection/auditing/event-6407.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md index 1f54ca83b1..ac60e54bc0 100644 --- a/windows/security/threat-protection/auditing/event-6408.md +++ b/windows/security/threat-protection/auditing/event-6408.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index b5e0e99e03..e81d22b4dc 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,7 +17,7 @@ ms.date: 04/19/2017 - Windows Server 2016 -[BranchCache](https://technet.microsoft.com/en-us/library/dd425028.aspx) events are outside the scope of this document. +[BranchCache](https://technet.microsoft.com/library/dd425028.aspx) events are outside the scope of this document. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md index f1c92358f7..57f2ac326b 100644 --- a/windows/security/threat-protection/auditing/event-6410.md +++ b/windows/security/threat-protection/auditing/event-6410.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -17,9 +17,9 @@ ms.date: 04/19/2017 - Windows Server 2016 -[Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +[Code Integrity](https://technet.microsoft.com/library/dd348642(v=ws.10).aspx) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -This event generates due to writable [shared sections](https://msdn.microsoft.com/en-us/library/windows/desktop/cc307397.aspx) being present in a file image. +This event generates due to writable [shared sections](https://msdn.microsoft.com/library/windows/desktop/cc307397.aspx) being present in a file image. There is no example of this event in this document. diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md index 812286011b..6ca70bcf89 100644 --- a/windows/security/threat-protection/auditing/event-6416.md +++ b/windows/security/threat-protection/auditing/event-6416.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -101,7 +101,7 @@ This event generates, for example, when a new external device is connected or en - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md index b2f31d721b..54ca896a1b 100644 --- a/windows/security/threat-protection/auditing/event-6419.md +++ b/windows/security/threat-protection/auditing/event-6419.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -91,7 +91,7 @@ This event doesn’t mean that device was disabled. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md index da80a07bdc..d46e2ecd33 100644 --- a/windows/security/threat-protection/auditing/event-6420.md +++ b/windows/security/threat-protection/auditing/event-6420.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -89,7 +89,7 @@ This event generates every time specific device was disabled. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md index 0b09ff7dee..acb4ed0392 100644 --- a/windows/security/threat-protection/auditing/event-6421.md +++ b/windows/security/threat-protection/auditing/event-6421.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -91,7 +91,7 @@ This event doesn’t mean that device was enabled. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md index 42d91b1f65..ec696c704a 100644 --- a/windows/security/threat-protection/auditing/event-6422.md +++ b/windows/security/threat-protection/auditing/event-6422.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -89,7 +89,7 @@ This event generates every time specific device was enabled. - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md index e3eb81e79d..75c0c89e97 100644 --- a/windows/security/threat-protection/auditing/event-6423.md +++ b/windows/security/threat-protection/auditing/event-6423.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- @@ -91,7 +91,7 @@ Device installation restriction group policies are located here: **\\Computer Co - Uppercase full domain name: CONTOSO.LOCAL - - For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. + - For some [well-known security principals](https://support.microsoft.com/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md index a4ef6c15e8..d9f0466d51 100644 --- a/windows/security/threat-protection/auditing/event-6424.md +++ b/windows/security/threat-protection/auditing/event-6424.md @@ -5,7 +5,7 @@ ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.localizationpriority: medium +ms.localizationpriority: none author: Mir0sh ms.date: 04/19/2017 --- diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md new file mode 100644 index 0000000000..7bfef9f9db --- /dev/null +++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md @@ -0,0 +1,129 @@ +--- +title: How to get a list of XML data name elements in (Windows 10) +description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML data name elements that can appear in . +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: tedhardyMSFT +ms.date: 10/22/2018 +--- + +# How to get a list of XML data name elements in EventData + +**Applies to** +- Windows 10 + +The Security log uses a manifest where you can get all of the event schema. + +Run the following from an elevated PowerShell prompt: + +```powershell +$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing" +``` + +The .events property is a collection of all of the events listed in the manifest on the local machine. + +For each event, there is a .Template property for the XML template used for the event properties (if there are any). + +For example: + +```powershell +PS C:\WINDOWS\system32> $SecEvents.events[100] + + +Id : 4734 +Version : 0 +LogLink : System.Diagnostics.Eventing.Reader.EventLogLink +Level : System.Diagnostics.Eventing.Reader.EventLevel +Opcode : System.Diagnostics.Eventing.Reader.EventOpcode +Task : System.Diagnostics.Eventing.Reader.EventTask +Keywords : {} +Template : + +Description : A security-enabled local group was deleted. + + Subject: + Security ID: %4 + Account Name: %5 + Account Domain: %6 + Logon ID: %7 + + Group: + Security ID: %3 + Group Name: %1 + Group Domain: %2 + + Additional Information: + Privileges: %8 + + + +PS C:\WINDOWS\system32> $SecEvents.events[100].Template + + +``` + +## Mapping data name elements to the names in an event description + +You can use the <Template> and <Description> to map the data name elements that appear in XML view to the names that appear in the event description. + +The <Description> is just the format string (if you’re used to Console.Writeline or sprintf statements) and the <Template> is the source of the input parameters for the <Description>. + +Using Security event 4734 as an example: + +```xml +Template : + +Description : A security-enabled local group was deleted. + + Subject: + Security ID: %4 + Account Name: %5 + Account Domain: %6 + Logon ID: %7 + + Group: + Security ID: %3 + Group Name: %1 + Group Domain: %2 + + Additional Information: + Privileges: %8 + +``` + +For the **Subject: Security Id:** text element, it will use the fourth element in the Template, **SubjectUserSid**. + +For **Additional Information Privileges:**, it would use the eighth element **PrivilegeList**. + +A caveat to this is an oft-overlooked property of events called Version (in the <SYSTEM> element) that indicates the revision of the event schema and description. Most events have 1 version (all events have Version =0 like the Security/4734 example) but a few events like Security/4624 or Security/4688 have at least 3 versions (versions 0, 1, 2) depending on the OS version where the event is generated. Only the latest version is used for generating events in the Security log. In any case, the Event Version where the Template is taken from should use the same Event Version for the Description. + diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md index dfa28ec177..c318406475 100644 --- a/windows/security/threat-protection/change-history-for-threat-protection.md +++ b/windows/security/threat-protection/change-history-for-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Change history for Windows Defender Advanced Threat Protection (Windows Defender ATP) +title: Change history for [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) description: This topic lists new and updated topics in the WWindows Defender ATP content set. ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md new file mode 100644 index 0000000000..1f94b66e1c --- /dev/null +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -0,0 +1,187 @@ +--- +title: How to control USB devices and other removable media using Intune (Windows 10) +description: You can configure Intune settings to reduce threats from removable storage such as USB devices. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +ms.author: justinha +author: justinha +ms.date: 12/20/2018 +--- + +# How to control USB devices and other removable media using Windows Defender ATP + +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Windows Defender ATP provides multiple monitoring and control features for USB peripherals to help prevent threats in unauthorized peripherals from compromising your devices: + +1. [Prevent threats from removable storage](#prevent-threats-from-removable-storage) introduced by removable storage devices by enabling: + - [Windows Defender Antivirus real-time protection (RTP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) to scan removable storage for malware. + - The [Exploit Guard Attack Surface Reduction (ASR) USB rule](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to block untrusted and unsigned processes that run from USB. + - [Direct Memory Access (DMA) protection settings](#protect-against-direct-memory-access-dma-attacks) to mitigate DMA attacks, including [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) and blocking DMA until a user signs in. + +2. [Detect plug and play connected events for peripherals in Windows Defender ATP advanced hunting](#detect-plug-and-play-connected-events) + - Identify or investigate suspicious usage activity. Create customized alerts based on these PnP events or any other Windows Defender ATP events with [custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +3. [Respond to threats](#respond-to-threats) from peripherals in real-time based on properties reported by each peripheral: + - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. + - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. + +>[!NOTE] +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. + +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +## Prevent threats from removable storage + +Windows Defender ATP can help identify and block malicious files on allowed removable storage peripherals. + +### Enable Windows Defender Antivirus Scanning + +Protecting authorized removable storage with Windows Defender Antivirus requires [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) or scheduling scans and configuring removable drives for scans. + +- If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. You can optionally [run a PowerShell script to perform a custom scan](https://aka.ms/scanusb) of a USB drive after it is mounted, so that Windows Defender Antivirus starts scanning all files on a removable device once the removable device is attached. However, we recommend enabling real-time protection for improved scanning performance, especially for large storage devices. +- If scheduled scans are used, then you need to disable the DisableRemovableDriveScanning setting (enabled by default) to scan the removable device during a full scan. Removable devices are scanned during a quick or custom scan regardless of the DisableRemovableDriveScanning setting. + +>[!NOTE] +>We recommend enabling real-time monitoring for scanning. In Intune, you can enable real-time monitoring for Windows 10 in **Device Restrictions** > **Configure** > **Windows Defender Antivirus** > **Real-time monitoring**. + + + +### Block untrusted and unsigned processes on USB peripherals + +End-users might plug in removable devices that are infected with malware. +To prevent infections, a company can block USB files that are unsigned or untrusted. +Alternatively, companies can leverage the audit feature of attack surface reduction rules to monitor the activity of untrusted and unsigned processes that execute on a USB peripheral. +This can be done by setting **Untrusted and unsigned processes that run from USB** to either **Block** or **Audit only**, respectively. +With this rule, admins can prevent or audit unsigned or untrusted executable files from running from USB removable drives, including SD cards. +Affected file types include executable files (such as .exe, .dll, or .scr) and script files such as a PowerShell (.ps), VisualBasic (.vbs), or JavaScript (.js) files. + +These settings require [enabling real-time protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 or later + - Profile type: Endpoint protection + + ![Create endpoint protection profile](images/create-endpoint-protection-profile.png) + +4. Click **Configure** > **Windows Defender Exploit Guard** > **Attack Surface Reduction**. + +5. For **Unsigned and untrusted processes that run from USB**, choose **Block**. + + ![Block untrusted processes](images/block-untrusted-processes.png) + +6. Click **OK** to close **Attack Surface Reduction**, **Windows Defender Exploit Guard**, and **Endpoint protection**. + +7. Click **Create** to save the profile. + +### Protect against Direct Memory Access (DMA) attacks + +DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely. The following settings help to prevent DMA attacks: + +1. Beginning with Windows 10 version 1803, Microsoft introduced [Kernel DMA Protection for Thunderbolt](https://docs.microsoft.com/windows/security/information-protection/kernel-dma-protection-for-thunderbolt) to provide native protection against DMA attacks via Thunderbolt ports. Kernel DMA Protection for Thunderbolt is enabled by system manufacturers and cannot be turned on or off by users. + + Beginning with Windows 10 version 1809, you can adjust the level of Kernel DMA Protection by configuring the [DMA Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-deviceenumerationpolicy). This is an additional control for peripherals that don't support device memory isolation (also known as DMA-remapping). Memory isolation allows the OS to leverage the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access, by the peripheral (memory sandboxing). In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it. + + Peripherals that support device memory isolation can always connect. Peripherals that don't can be blocked, allowed, or allowed only after the user signs in (default). + +2. On Windows 10 systems that do not suppprt Kernel DMA Protection, you can: + + - [Block DMA until a user signs in](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) + - [Block all connections via the Thunderbolt ports (including USB devices)](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d) + + +## Detect plug and play connected events + +You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +## Respond to threats + +Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. + +>[!Note] +>Always test and refine these settings with a pilot group of users and devices first before applying them in production. + +The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +| Control | Description | +|----------|-------------| +| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | +| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | +| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | + +>[!Note] +>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. + +### Block installation and usage of removable storage + +1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). +2. Click **Intune** > **Device configuration** > **Profiles** > **Create profile**. + + ![Create device configuration profile](images/create-device-configuration-profile.png) + +3. Use the following settings: + + - Name: Type a name for the profile + - Description: Type a description + - Platform: Windows 10 and later + - Profile type: Device restrictions + + ![Create profile](images/create-profile.png) + +4. Click **Configure** > **General**. + +5. For **Removable storage** and **USB connection (mobile only)**, choose **Block**. **Removable storage** includes USB drives, where **USB connection (mobile only)** excludes USB charging but includes other USB connections on mobile devices only. + + ![General settings](images/general-settings.png) + +6. Click **OK** to close **General** settings and **Device restrictions**. + +7. Click **Create** to save the profile. + +### Only allow installation and usage of specifically approved peripherals + +Windows Defender ATP allows installation and usage of only specifically approved peripherals by creating a custom profile in Intune and configuring [DeviceInstallation policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation). +For example, this custom profile allows installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0". + +![Custom profile](images/custom-profile-allow-device-ids.png) + +Peripherals that are allowed to be installed can be specified by their [hardware identity](https://docs.microsoft.com/windows-hardware/drivers/install/device-identification-strings). For a list of common identifier structures, see [Device Identifier Formats](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/device-identifier-formats). Test the configuration prior to rolling it out to ensure it blocks and allows the devices expected. Ideally test various instances of the hardware. For example, test multiple USB keys rather than only one. + +For a SyncML example that allows installation of specific device IDs, see [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdeviceids). To allow specific device classes, see [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-allowinstallationofmatchingdevicesetupclasses). +Allowing installation of specific devices requires also enabling [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings). + +### Prevent installation of specifically prohibited peripherals + +Windows Defender ATP also blocks installation and usage of prohibited peripherals with a custom profile in Intune. +For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed. + +![Custom profile](images/custom-profile-prevent-device-ids.png) + +For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). + +## Related topics + +- [Configure real-time protection for Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) +- [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) +- [Perform a custom scan of a removable device](https://aka.ms/scanusb) +- [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) +- [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) + + + diff --git a/windows/security/threat-protection/device-control/images/block-untrusted-processes.png b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png new file mode 100644 index 0000000000..3080e0d1f0 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/block-untrusted-processes.png differ diff --git a/windows/security/threat-protection/device-control/images/class-guids.png b/windows/security/threat-protection/device-control/images/class-guids.png new file mode 100644 index 0000000000..6951e4ed5a Binary files /dev/null and b/windows/security/threat-protection/device-control/images/class-guids.png differ diff --git a/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png new file mode 100644 index 0000000000..9d295dfa6b Binary files /dev/null and b/windows/security/threat-protection/device-control/images/configure-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png new file mode 100644 index 0000000000..1b6d4aa708 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-device-configuration-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png new file mode 100644 index 0000000000..eaba30b27f Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-endpoint-protection-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/create-profile.png b/windows/security/threat-protection/device-control/images/create-profile.png new file mode 100644 index 0000000000..ada168228e Binary files /dev/null and b/windows/security/threat-protection/device-control/images/create-profile.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png new file mode 100644 index 0000000000..95ac48ec54 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-allow-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png b/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png new file mode 100644 index 0000000000..d949232d44 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/custom-profile-prevent-device-ids.png differ diff --git a/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png new file mode 100644 index 0000000000..44be977537 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/device-manager-disk-drives.png differ diff --git a/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png new file mode 100644 index 0000000000..cf8399acf4 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/disk-drive-hardware-id.png differ diff --git a/windows/security/threat-protection/device-control/images/general-settings.png b/windows/security/threat-protection/device-control/images/general-settings.png new file mode 100644 index 0000000000..152822dc29 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/general-settings.png differ diff --git a/windows/security/threat-protection/device-control/images/hardware-ids.png b/windows/security/threat-protection/device-control/images/hardware-ids.png new file mode 100644 index 0000000000..9017f289f6 Binary files /dev/null and b/windows/security/threat-protection/device-control/images/hardware-ids.png differ diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md new file mode 100644 index 0000000000..e877d200de --- /dev/null +++ b/windows/security/threat-protection/fips-140-validation.md @@ -0,0 +1,7085 @@ +--- +title: FIPS 140 Validation +description: This topic provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard FIPS 140. +ms.prod: w10 +ms.localizationpriority: medium +ms.author: daniha +author: danihalfin +ms.date: 04/03/2018 +--- + + +# FIPS 140 Validation + +On this page + + - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) + - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) + - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) + - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) + - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) + - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) + - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) + - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) + +Updated: March 2018 + +  + +## Introduction + +This document provides information on how Microsoft products and cryptographic modules comply with the U.S. Federal government standard, *Federal Information Processing Standard (FIPS) 140 – Security Requirements for Cryptographic Modules* \[FIPS 140\]. + +### Audience + +This document is primarily focused on providing information for three parties: + +[Procurement Officer](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Responsible for verifying that Microsoft products (or even third-party applications) are either FIPS 140 validated or utilize a Microsoft FIPS 140 validated cryptographic module. + +[System Integrator](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Responsible for ensuring that Microsoft Products are configured properly to use only FIPS 140 validated cryptographic modules. + +[Software Developer](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Responsible for building software products that utilize Microsoft FIPS 140 validated cryptographic modules. + +### Document Map + +This document is broken into seven major sections: + +[FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_overview) – Provides an overview of the FIPS 140 standard as well as provides some historical information about the standard. + +[Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_product_validation) – Provides information on how Microsoft products are FIPS 140 validated. + +[Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#_information_for_system) – Describes how to configure and verify that Microsoft Products are being used in a manner consistent with the product’s FIPS 140 Security Policy. + +[Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) – Identifies how developers can leverage the Microsoft FIPS 140 validated cryptographic modules. + +[FAQ](https://technet.microsoft.com/library/cc750357.aspx#_fips_140_faq) – Frequently Asked Questions. + +[Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) – Explains Microsoft cryptographic architecture and identifies specific modules that are FIPS 140 validated. + +[Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#_cryptographic_algorithms) – Lists the cryptographic algorithm, modes, states, key sizes, Windows versions, and corresponding cryptographic algorithm validation certificates. + +## FIPS 140 Overview + +### FIPS 140 Standard + +FIPS 140 is a US government and Canadian government standard that defines a minimum set of the security requirements for products that implement cryptography. This standard is designed for cryptographic modules that are used to secure sensitive but unclassified information. Testing against the FIPS 140 standard is maintained by the Cryptographic Module Validation Program (CMVP), a joint effort between the US National Institute of Standards and Technology (NIST) and the Communications Security Establishment of Canada (CSEC). + +The current standard defines four-levels of increasing security, 1 through 4. Most software products (including all Microsoft products) are tested against the Level 1 security requirements. + +### Applicability of the FIPS standard + +Within the US Federal government, the FIPS 140 standard applies to any security system (whether hardware, firmware, software, or a combination thereof) to be used by agencies for protecting sensitive but unclassified information. Some agencies have expanded its use by requiring that the modules to be procured for secret systems also meet the FIPS 140 requirements. + +The FIPS 140 standard has also been used by different standards bodies, specification groups, nations, and private institutions as a requirement or guideline for those products (e.g. – Digital Cinema Systems Specification). + +### History of 140-1 + +FIPS 140-1 is the original working version of the standard made official on January 11, 1994. The standard remained in effect until FIPS 140-2 became mandatory for new products on May 25, 2002. + +### FIPS 140-2 + +FIPS 140-2 is currently the active version of the standard. + +### Microsoft FIPS Support Policy + +Microsoft actively maintains FIPS 140 validation for its cryptographic modules. + +### FIPS Mode of Operation + +The common term “FIPS mode” is used in this document and Security Policy documents. When a cryptographic module contains both FIPS-approved and non-FIPS approved security methods, it must have a "FIPS mode of operation" to ensure only FIPS-approved security methods may be used. When a module is in "FIPS mode", a non-FIPS approved method cannot be used instead of a FIPS-approved method. + +## Microsoft Product Validation (Information for Procurement Officers and Auditors) + +This section provides information for Procurement Officers and Auditors who are responsible for ensuring that Microsoft products with FIPS 140 validated cryptographic modules are used in their organization. The goal of this section is to provide an overview of the Microsoft developed products and modules and explain how the validated cryptographic modules are used. + +### Microsoft Product Relationship with CNG and CAPI libraries + +Rather than validate individual components and products, Microsoft chooses to validate only the underlying cryptographic modules. Subsequently, many Windows components and Microsoft products are built to rely on the Cryptographic API: Next Generation (CNG) and legacy Cryptographic API (CAPI) FIPS 140 validated cryptographic modules. Windows components and Microsoft products use the documented application programming interfaces (APIs) for each of the modules to access various cryptographic services. + +The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +## Information for System Integrators + +This section provides information for System Integrators and Auditors who are responsible for deploying Microsoft products in a manner consistent with the product’s FIPS 140 Security Policy. + +There are two steps to ensure that Microsoft products operate in FIPS mode: + +1. Selecting/Installing FIPS 140 validated cryptographic modules +2. Setting FIPS local/group security policy flag. + +### Step 1 – Selecting/Installing FIPS 140 Validated Cryptographic Modules + +Systems Integrators must ensure that all cryptographic modules installed are, in fact, FIPS 140 validated. This can be accomplished by cross-checking the version number of the installed module with the list of validated binaries. The list of validated CAPI binaries is identified in the [CAPI Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_capi_validated_cryptographic) section below and the list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section below. There are similar sections for all other validated cryptographic modules. + +The version number of the installed binary is found by right-clicking the module file and clicking on the Version or Details tab. Cryptographic modules are stored in the "windows\\system32" or "windows\\system32\\drivers" directory. + +### Step 2 – Setting FIPS Local/Group Security Policy Flag + +The Windows operating system provides a group (or local) security policy setting, “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, which is used by many Microsoft products to determine whether to operate in a FIPS-approved mode. When this policy is set, the validated cryptographic modules in Windows will also operate in a FIPS-approved mode. + +**Note** – There is no enforcement of the FIPS policy by the operating system or the validated cryptographic modules. Instead, each individual application must check this flag and enforce the Security Policy of the validated cryptographic modules. + +#### Instructions on Setting the FIPS Local/Group Security Policy Flag + +While there are alternative methods for setting the FIPS local/group security policy flag, the following method is included as a guide to users with Administrative privileges. This description is for the Local Security Policy, but the Group Security Policy may be set in a similar manner. + +1. Open the 'Run' menu by pressing the combination 'Windows Key + R'. +2. Type 'secpol.msc' and press 'Enter' or click the 'Ok' button. +3. In the Local Security Policy management console window that opens, use the left tab to navigate to the Local Policies -\> Security Options. +4. Scroll down the right pane and double-click 'System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing'. +5. In the properties window, select the 'Enabled' option and click the 'Apply' button. + +#### Microsoft Components and Products That Utilize FIPS Local/Group Security Policy + +The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. + + - Schannel Security Package + - Remote Desktop Protocol (RDP) Client + - Encrypting File System (EFS) + - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) + - BitLocker® Drive Full-volume Encryption + - IPsec Settings of Windows Firewall + +#### Effects of Setting FIPS Local/Group Security Policy Flag + +When setting the FIPS local/group security policy flag, the behavior of several Microsoft components and products are affected. The most noticeable difference will be that the components enforcing this setting will only use those algorithms approved or allowed in FIPS mode. The specific changes to the products listed above are: + + - Schannel Security Package forced to negotiate sessions using TLS. The following supported Cipher Suites are disabled: + + - - TLS\_RSA\_WITH\_RC4\_128\_SHA + - TLS\_RSA\_WITH\_RC4\_128\_MD5 + - SSL\_CK\_RC4\_128\_WITH\_MD5 + - SSL\_CK\_DES\_192\_EDE3\_CBC\_WITH\_MD5 + - TLS\_RSA\_WITH\_NULL\_MD5 + - TLS\_RSA\_WITH\_NULL\_SHA + + - The set of cryptographic algorithms that a Remote Desktop Protocol (RDP) server will use is scoped to: + + - - CALG\_RSA\_KEYX - RSA public key exchange algorithm + - CALG\_3DES - Triple DES encryption algorithm + - CALG\_AES\_128 - 128 bit AES + - CALG\_AES\_256 - 256 bit AES + - CALG\_SHA1 - SHA hashing algorithm + - CALG\_SHA\_256 - 256 bit SHA hashing algorithm + - CALG\_SHA\_384 - 384 bit SHA hashing algorithm + - CALG\_SHA\_512 - 512 bit SHA hashing algorithm + + - Any Microsoft .NET Framework applications, such as Microsoft ASP.NET or Windows Communication Foundation (WCF), only allow algorithm implementations that are validated to FIPS 140, meaning only classes that end in "CryptoServiceProvider" or "Cng" can be used. Any attempt to create an instance of other cryptographic algorithm classes or create instances that use non-allowed algorithms will cause an InvalidOperationException exception. + + - Verification of ClickOnce applications fails unless the client computer has .NET Framework 2.0 SP1 or later service pack installed or .NET Framework 3.5 or later installed. + + - On Windows Vista and Windows Server 2008 and later, BitLocker Drive Encryption switches from AES-128 using the elephant diffuser to using the approved AES-256 encryption. Recovery passwords are not created or backed up. Instead, backup a recovery key on a local drive or on a network share. To use the recovery key, put the key on a USB device and plug the device into the computer. + +Please be aware that selection of FIPS mode can limit product functionality (See ). + +## Information for Software Developers + +This section is targeted at developers who wish to build their own applications using the FIPS 140 validated cryptographic modules. + +Each of the validated cryptographic modules defines a series of rules that must be followed. The security rules for each validated cryptographic module are specified in the Security Policy document. Links to each of the Security Policy documents is provided in the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section below. Generally, the restriction in Microsoft validated cryptographic modules is limiting the use of cryptography to only FIPS Approved cryptographic algorithms, modes, and key sizes. + +### Using Microsoft Cryptographic Modules in a FIPS mode of operation + +No matter whether developing with native languages or using .NET, it is important to first check whether the CNG modules for the target system are FIPS validated. The list of validated CNG binaries is identified in the [CNG Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_cng_validated_cryptographic) section. + +When developing using CNG directly, it is the responsibility of the developer to follow the security rules outlined in the FIPS 140 Security Policy for each module. The security policy for each module is provided on the CMVP website. Links to each of the Security Policy documents is provided in the tables below. It is important to remember that setting the FIPS local/group security policy Flag (discussed above) does not affect the behavior of the modules when used for developing custom applications. + +If you are developing your application using .NET instead of using the native libraries, then setting the FIPS local policy flag will generate an exception when an improper .NET class is used for cryptography (i.e. the cryptographic classes whose names end in "Managed"). The names of these allowed classes end with "Cng", which use the CNG binaries or "CryptoServiceProvider", which use the legacy CAPI binaries. + +### Key Strengths and Validity Periods + +NIST Special Publication 800-131A Revision 1, Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths, dated November 2015, \[[SP 800-131A](http://dx.doi.org/10.6028/nist.sp.800-131ar1)\], offers guidance for moving to stronger cryptographic keys and algorithms. This does not replace NIST SP 800-57, Recommendation for Key Management Part 1: General, \[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\], but gives more specific guidance. One of the most important topics discussed in these publications deals with the key strengths of FIPS Approved algorithms and their validity periods. When developing applications that use FIPS Approved algorithms, it is also extremely important to select appropriate key sizes based on the security lifetimes recommended by NIST. + +## FIPS 140 FAQ + +The following are answers to commonly asked questions for the FIPS 140-2 validation of Microsoft products. + +1. How does FIPS 140 relate to the Common Criteria? + **Answer:** These are two separate security standards with different, but complementary, purposes. FIPS 140 is a standard designed specifically for validating product modules that implement cryptography. On the other hand, Common Criteria is designed to help evaluate security functions in IT products. + In many cases, Common Criteria evaluations will rely on FIPS 140 validations to provide assurance that cryptographic functionality is implemented properly. +2. How does FIPS 140 relate to Suite B? + **Answer:** Suite B is simply a set of cryptographic algorithms defined by the U.S. National Security Agency (NSA) as part of its Cryptographic Modernization Program. The set of Suite B cryptographic algorithms are to be used for both unclassified information and most classified information. + The Suite B cryptographic algorithms are a subset of the FIPS Approved cryptographic algorithms as allowed by the FIPS 140 standard. +3. There are so many modules listed on the NIST website for each release, how are they related and how do I tell which one applies to me? + **Answer:** Microsoft strives to validate all releases of its cryptographic modules. Each module provides a different set of cryptographic algorithms. If you are required to use only FIPS validated cryptographic modules, you simply need to verify that the version being used appears on the validation list. + Please see the [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140)section for a complete list of Microsoft validated modules. +4. My application links against crypt32.dll, cryptsp.dll, advapi32.dll, bcrypt.dll, bcryptprimitives.dll, or ncrypt.dll. What do I need to do to assure I’m using FIPS 140 validated cryptographic modules? + **Answer:** crypt32.dll, cryptsp.dll, advapi32.dll, and ncrypt.dll are intermediary libraries that will offload all cryptographic operations to the FIPS validated cryptographic modules. Bcrypt.dll itself is a validated cryptographic module for Windows Vista and Windows Server 2008. For Windows 7 and Windows Server 2008 R2 and later, bcryptprimitives.dll is the validated module, but bcrypt.dll remains as one of the libraries to link against. + You must first verify that the underlying CNG cryptographic module is validated. Once verified, you'll need to confirm that you're using the module correctly in FIPS mode (See [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#_information_for_software) section for details). +5. What does "When operated in FIPS mode" mean on certificates? + **Answer:** This caveat identifies that a required configuration and security rules must be followed in order to use the cryptographic module in a manner consistent with its FIPS 140 Security Policy. The security rules are defined in the Security Policy for the module and usually revolve around using only FIPS Approved cryptographic algorithms and key sizes. Please see the Security Policy for the specific security rules for each cryptographic module (See [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#_microsoft_fips_140) section for links to each policy). +6. Which FIPS validated module is called when Windows 7 or Windows 8 is configured to use the FIPS setting in the wireless configuration? + **Answer:** CNG is used. This setting tells the wireless driver to call FIPS 140-2 validated cryptographic modules instead of using the driver’s own cryptography, if any. +7. Is BitLocker to Go FIPS 140-2 validated? + **Answer:** There are two separate parts for BitLocker to Go. One part is simply a native feature of BitLocker and as such, it uses FIPS 140-2 validated cryptographic modules. The other part is the BitLocker to Go Reader application for down-level support of older operating systems such as Windows XP and Windows Vista. The Reader application does not use FIPS 140-2 validated cryptographic modules. +8. Are applications FIPS 140-2 validated? + **Answer:** Microsoft only has low-level cryptographic modules in Windows FIPS 140-2 validated, not high-level applications. A better question is whether a certain application calls a FIPS 140-2 validated cryptographic module in the underlying Windows OS. That question needs to be directed to the company/product group that created the application of interest. +9. How can Systems Center Operations Manager 2012 be configured to use FIPS 140-2 validated cryptographic modules? + **Answer:** See [http://technet.microsoft.com/library/hh914094.aspx](https://technet.microsoft.com/library/hh914094.aspx) + +## Microsoft FIPS 140 Validated Cryptographic Modules + +### Modules By Operating System + +The following tables identify the Cryptographic Modules for an operating system. + +#### Windows + +##### Windows 10 Creators Update (Version 1703) + +Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.15063#3095

    FIPS Approved algorithms: AES (Cert. #4624); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2522); SHS (Cert. #3790); Triple-DES (Cert. #2459)
    +
    +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #1281); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #1278)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.15063#3094

    #3094

    +

    FIPS Approved algorithms: AES (Certs. #4624 and #4626); CKG (vendor affirmed); CVL (Certs. #1278 and #1281); DRBG (Cert. #1555); DSA (Cert. #1223); ECDSA (Cert. #1133); HMAC (Cert. #3061); KAS (Cert. #127); KBKDF (Cert. #140); KTS (AES Cert. #4626; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2521 and #2523); SHS (Cert. #3790); Triple-DES (Cert. #2459)
    +
    +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert.#1133); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert.#2521); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert.#1281)

    Boot Manager10.0.15063#3089

    FIPS Approved algorithms: AES (Certs. #4624 and #4625); CKG (vendor affirmed); HMAC (Cert. #3061); PBKDF (vendor affirmed); RSA (Cert. #2523); SHS (Cert. #3790)

    +

    Other algorithms: PBKDF (vendor affirmed); VMK KDF (vendor affirmed)

    Windows OS Loader10.0.15063#3090

    FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)

    +

    Other algorithms: NDRNG

    Windows Resume[1]10.0.15063#3091FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2523); SHS (Cert. #3790)
    BitLocker® Dump Filter[2]10.0.15063#3092FIPS Approved algorithms: AES (Certs. #4624 and #4625); RSA (Cert. #2522); SHS (Cert. #3790)
    Code Integrity (ci.dll)10.0.15063#3093

    FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

    Secure Kernel Code Integrity (skci.dll)[3]10.0.15063#3096

    FIPS Approved algorithms: AES (Cert. #4624); RSA (Certs. #2522 and #2523); SHS (Cert. #3790)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v1.5 - RSASP1 Signature Primitive (Cert. #1282)

    + + +\[1\] Applies only to Home, Pro, Enterprise, Education and S + +\[2\] Applies only to Pro, Enterprise, Education, S, Mobile and Surface Hub + +\[3\] Applies only to Pro, Enterprise Education and S + +##### Windows 10 Anniversary Update (Version 1607) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.14393#2937

    FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #886)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.14393#2936

    FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #922); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #887)

    Boot Manager10.0.14393#2931

    FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

    +

    Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

    BitLocker® Windows OS Loader (winload)10.0.14393#2932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: NDRNG; MD5
    BitLocker® Windows Resume (winresume)[1]10.0.14393#2933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[2]10.0.14393#2934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
    Code Integrity (ci.dll)10.0.14393#2935

    FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: AES (non-compliant); MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

    Secure Kernel Code Integrity (skci.dll)[3]10.0.14393#2938

    FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #888)

    + + +\[1\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[2\] Applies only to Pro, Enterprise, Enterprise LTSB and Mobile + +\[3\] Applies only to Pro, Enterprise and Enterprise LTSB + +##### Windows 10 November 2015 Update (Version 1511) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10586#2606

    FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs. #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #664)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10586#2605

    FIPS Approved algorithms: AES (Certs. #3629); DRBG (Certs. #955); DSA (Certs.  #1024); ECDSA (Certs. #760); HMAC (Certs. #2381); KAS (Certs. #72; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #72); KTS (AES Certs. #3653; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1887, #1888 and #1889); SHS (Certs. #3047); Triple-DES (Certs. #2024)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #666); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #663)

    Boot Manager[4]10.0.10586#2700FIPS Approved algorithms: AES (Certs. #3653); HMAC (Cert. #2381); PBKDF (vendor affirmed); RSA (Cert. #1871); SHS (Certs. #3047 and #3048)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)[5]10.0.10586#2701FIPS Approved algorithms: AES (Certs. #3629 and #3653); RSA (Cert. #1871); SHS (Cert. #3048)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[6]10.0.10586#2702FIPS Approved algorithms: AES (Certs. #3653); RSA (Cert. #1871); SHS (Cert. #3048)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[7]10.0.10586#2703FIPS Approved algorithms: AES (Certs. #3653)
    Code Integrity (ci.dll)10.0.10586#2604

    FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
    +
    +Other algorithms: AES (non-compliant); MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

    Secure Kernel Code Integrity (skci.dll)[8]10.0.10586#2607

    FIPS Approved algorithms: RSA (Certs. #1871); SHS (Certs. #3048)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #665)

    + + +\[4\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[5\] Applies only to Home, Pro, Enterprise, Mobile and Surface Hub + +\[6\] Applies only to Home, Pro and Enterprise + +\[7\] Applies only to Pro, Enterprise, Mobile and Surface Hub + +\[8\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 10 (Version 1507) + +Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface Hub + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.10240#2606

    FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #575)

    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.10240#2605

    FIPS Approved algorithms: AES (Certs. #3497); DRBG (Certs. #868); DSA (Certs. #983); ECDSA (Certs. #706); HMAC (Certs. #2233); KAS (Certs. #64; key agreement; key establishment methodology provides between 112 and 256 bits of encryption strength); KBKDF (Certs. #66); KTS (AES Certs. #3507; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #1783, #1798, and #1802); SHS (Certs. #2886); Triple-DES (Certs. #1969)
    +
    +Other algorithms: DES; HMAC-MD5; Legacy CAPI KDF; MD2; MD4; MD5; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572); FIPS186-4 RSA; RSADP - RSADP Primitive (Cert. #576)

    Boot Manager[9]10.0.10240#2600FIPS Approved algorithms: AES (Cert. #3497); HMAC (Cert. #2233); KTS (AES Cert. #3498); PBKDF (vendor affirmed); RSA (Cert. #1784); SHS (Certs. #2871 and #2886)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)[10]10.0.10240#2601FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[11]10.0.10240#2602FIPS Approved algorithms: AES (Certs. #3497 and #3498); RSA (Cert. #1784); SHS (Cert. #2871)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[12]10.0.10240#2603FIPS Approved algorithms: AES (Certs. #3497 and #3498)
    Code Integrity (ci.dll)10.0.10240#2604

    FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
    +
    +Other algorithms: AES (non-compliant); MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

    Secure Kernel Code Integrity (skci.dll)[13]10.0.10240#2607

    FIPS Approved algorithms: RSA (Certs. #1784); SHS (Certs. #2871)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #572)

    + + +\[9\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[10\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[11\] Applies only to Home, Pro, Enterprise and Enterprise LTSB + +\[12\] Applies only to Pro, Enterprise and Enterprise LTSB + +\[13\] Applies only to Enterprise and Enterprise LTSB + +##### Windows 8.1 + +Validated Editions: RT, Pro, Enterprise, Phone, Embedded + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.17031#2357

    FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)#2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289); SP800-135 - Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS (Cert. #323)

    Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.17042#2356

    FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)

    +

    Validated Component Implementations: FIPS186-4 ECDSA - Signature Generation of hash sized messages (Cert. #288); FIPS186-4 RSA; PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

    Boot Manager6.3.9600 6.3.9600.17031#2351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.17031#2352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[14]6.3.9600 6.3.9600.17031#2353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)6.3.9600 6.3.9600.17031#2354FIPS Approved algorithms: AES (Cert. #2832)
    +
    +Other algorithms: N/A
    Code Integrity (ci.dll)6.3.9600 6.3.9600.17031#2355#2355

    FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
    +
    +Other algorithms: MD5

    +

    Validated Component Implementations: PKCS#1 v2.1 - RSASP1 Signature Primitive (Cert. #289)

    + + +\[14\] Applies only to Pro, Enterprise, and Embedded 8. + +##### Windows 8 + +Validated Editions: RT, Home, Pro, Enterprise, Phone + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.9200#1892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258); DSA (Cert. ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.9200#1891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#258 and ); ECDSA (Cert. ); HMAC (Cert. ); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RNG (Cert. ); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager6.2.9200#1895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Windows OS Loader (WINLOAD)6.2.9200#1896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
    BitLocker® Windows Resume (WINRESUME)[15]6.2.9200#1898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (DUMPFVE.SYS)6.2.9200#1899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
    +
    +Other algorithms: N/A
    Code Integrity (CI.DLL)6.2.9200#1897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.9200#1893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#1902); Triple-DES (Cert. ); Triple-DES MAC (Triple-DES Cert. , vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. , key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced Cryptographic Provider (RSAENH.DLL)6.2.9200#1894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
    +
    +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +\[15\] Applies only to Home and Pro + +**Windows 7** + +Validated Editions: Windows 7, Windows 7 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)

    6.1.7600.16385

    +

    6.1.7601.17514

    		1329FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); DSA (Cert. #386); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4#559 and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
    Kernel Mode Cryptographic Primitives Library (cng.sys)

    6.1.7600.16385

    +

    6.1.7600.16915

    +

    6.1.7600.21092

    +

    6.1.7601.17514

    +

    6.1.7601.17725

    +

    6.1.7601.17919

    +

    6.1.7601.21861

    +

    6.1.7601.22076

    		1328FIPS Approved algorithms: AES (Certs. #1168 and #1178); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #24); ECDSA (Cert. #141); HMAC (Cert. #677); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides 80 to 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #560); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
    Boot Manager

    6.1.7600.16385

    +

    6.1.7601.17514

    		1319FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #557); SHS (Cert. #1081)
    +
    +Other algorithms: MD5#1168 and ); HMAC (Cert. ); RSA (Cert. ); SHS (Cert. )
    +
    +Other algorithms: MD5
    Winload OS Loader (winload.exe)

    6.1.7600.16385

    +

    6.1.7600.16757

    +

    6.1.7600.20897

    +

    6.1.7600.20916

    +

    6.1.7601.17514

    +

    6.1.7601.17556

    +

    6.1.7601.21655

    +

    6.1.7601.21675

    		1326FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #557); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    BitLocker™ Drive Encryption

    6.1.7600.16385

    +

    6.1.7600.16429

    +

    6.1.7600.16757

    +

    6.1.7600.20536

    +

    6.1.7600.20873

    +

    6.1.7600.20897

    +

    6.1.7600.20916

    +

    6.1.7601.17514

    +

    6.1.7601.17556

    +

    6.1.7601.21634

    +

    6.1.7601.21655

    +

    6.1.7601.21675

    		1332FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
    +
    +Other algorithms: Elephant Diffuser
    Code Integrity (CI.DLL)

    6.1.7600.16385

    +

    6.1.7600.17122

    +

    6.1.7600.21320

    +

    6.1.7601.17514

    +

    6.1.7601.17950

    +

    6.1.7601.22108

    		1327FIPS Approved algorithms: RSA (Cert. #557); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.1.7600.16385
    +(no change in SP1)    		1331FIPS Approved algorithms: DSA (Cert. #385); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
    Enhanced Cryptographic Provider (RSAENH.DLL)6.1.7600.16385
    +(no change in SP1)    		1330FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #673); SHS (Cert. #1081); RSA (Certs. #557 and #559); Triple-DES (Cert. #846)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256-bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +##### Windows Vista SP1 + +Validated Editions: Ultimate Edition + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Boot Manager (bootmgr)6.0.6001.18000 and 6.0.6002.18005978FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #354); SHS (Cert. #753)
    Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18027, 6.0.6001.18606, 6.0.6001.22125, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411 and 6.0.6002.22596979FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #354); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Code Integrity (ci.dll)6.0.6001.18000, 6.0.6001.18023, 6.0.6001.22120, and 6.0.6002.18005980FIPS Approved algorithms: RSA (Cert. #354); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742, and 6.0.6002.228691000

    FIPS Approved algorithms: AES (Certs. #739 and #756); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)#739 and ); ECDSA (Cert. ); HMAC (Cert. ); RNG (Cert.  and SP 800-90 AES-CTR, vendor-affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )

    +

    Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

    Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005, and 6.0.6002.228721001

    FIPS Approved algorithms: AES (Certs. #739 and #756); DSA (Cert. #283); ECDSA (Cert. #82); HMAC (Cert. #412); RNG (Cert. #435 and SP 800-90, vendor affirmed); RSA (Certs. #353 and #357); SHS (Cert. #753); Triple-DES (Cert. #656)

    +

    Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)

    Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051002

    FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #407); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #354); SHS (Cert. #753); Triple-DES (Cert. #656)

    +

    Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051003

    FIPS Approved algorithms: DSA (Cert. #281); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)

    +

    Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4

    + + +##### Windows Vista + +Validated Editions: Ultimate Edition + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced Cryptographic Provider (RSAENH)6.0.6000.16386893FIPS Approved algorithms: AES (Cert. #553); HMAC (Cert. #297); RNG (Cert. #321); RSA (Certs. #255 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6000.16386894FIPS Approved algorithms: DSA (Cert. #226); RNG (Cert. #321); SHS (Cert. #618); Triple-DES (Cert. #549); Triple-DES MAC (Triple-DES Cert. #549, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
    BitLocker™ Drive Encryption6.0.6000.16386947FIPS Approved algorithms: AES (Cert. #715); HMAC (Cert. #386); SHS (Cert. #737)
    +
    +Other algorithms: Elephant Diffuser
    Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6000.16386, 6.0.6000.16870 and 6.0.6000.21067891FIPS Approved algorithms: AES (Cert. #553); ECDSA (Cert. #60); HMAC (Cert. #298); RNG (Cert. #321); RSA (Certs. #257 and #258); SHS (Cert. #618); Triple-DES (Cert. #549)
    +
    +Other algorithms: DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides 128 to 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; HMAC MD5
    + + +##### Windows XP SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.1.2600.5512997

    FIPS Approved algorithms: HMAC (Cert. #429); RNG (Cert. #449); SHS (Cert. #785); Triple-DES (Cert. #677); Triple-DES MAC (Triple-DES Cert. #677, vendor affirmed)

    +

    Other algorithms: DES; MD5; HMAC MD5

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.1.2600.5507990

    FIPS Approved algorithms: DSA (Cert. #292); RNG (Cert. #448); SHS (Cert. #784); Triple-DES (Cert. #676); Triple-DES MAC (Triple-DES Cert. #676, vendor affirmed)

    +

    Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits); MD5; RC2; RC4

    Enhanced Cryptographic Provider (RSAENH)5.1.2600.5507989

    FIPS Approved algorithms: AES (Cert. #781); HMAC (Cert. #428); RNG (Cert. #447); RSA (Cert. #371); SHS (Cert. #783); Triple-DES (Cert. #675); Triple-DES MAC (Triple-DES Cert. #675, vendor affirmed)

    +

    Other algorithms: DES; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits)

    + + +##### Windows XP SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    DSS/Diffie-Hellman Enhanced Cryptographic Provider5.1.2600.2133240

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #29)

    +

    Other algorithms: DES (Cert. #66); RC2; RC4; MD5; DES40; Diffie-Hellman (key agreement)

    Microsoft Enhanced Cryptographic Provider5.1.2600.2161238

    FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

    +

    Other algorithms: DES (Cert. #156); RC2; RC4; MD5

    + + +##### Windows XP SP1 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Microsoft Enhanced Cryptographic Provider5.1.2600.1029238

    FIPS Approved algorithms: Triple-DES (Cert. #81); AES (Cert. #33); SHA-1 (Cert. #83); RSA (PKCS#1, vendor affirmed); HMAC-SHA-1 (Cert. #83, vendor affirmed)

    +

    Other algorithms: DES (Cert. #156); RC2; RC4; MD5

    + + +##### Windows XP + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module5.1.2600.0241

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Cert. #35); HMAC-SHA-1 (Cert. #35, vendor affirmed)

    +

    Other algorithms: DES (Cert. #89)

    + + +##### Windows 2000 SP3 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

    FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

    +

    Other algorithms: DES (Certs. #89)

    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

    (Base DSS: 5.0.2195.3665 [SP3])

    +

    (Base: 5.0.2195.3839 [SP3])

    +

    (DSS/DH Enh: 5.0.2195.3665 [SP3])

    +

    (Enh: 5.0.2195.3839 [SP3]

    		103

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

    + + +##### Windows 2000 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.0.2195.1569106

    FIPS Approved algorithms: Triple-DES (Cert. #16); SHA-1 (Certs. #35)

    +

    Other algorithms: DES (Certs. #89)

    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

    (Base DSS:

    +

    5.0.2195.2228 [SP2])

    +

    (Base:

    +

    5.0.2195.2228 [SP2])

    +

    (DSS/DH Enh:

    +

    5.0.2195.2228 [SP2])

    +

    (Enh:

    +

    5.0.2195.2228 [SP2])

    		103

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

    + + +##### Windows 2000 SP1 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enhanced Cryptographic Provider, and Enhanced Cryptographic Provider

    (Base DSS: 5.0.2150.1391 [SP1])

    +

    (Base: 5.0.2150.1391 [SP1])

    +

    (DSS/DH Enh: 5.0.2150.1391 [SP1])

    +

    (Enh: 5.0.2150.1391 [SP1])

    		103

    FIPS Approved algorithms: Triple-DES (Cert. #16); DSA/SHA-1 (Certs. #28 and #29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); Diffie-Hellman (key agreement); RC2; RC4; MD2; MD4; MD5

    + + +##### Windows 2000 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.2150.176

    FIPS Approved algorithms: Triple-DES (vendor affirmed); DSA/SHA-1 (Certs. #28 and 29); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #65, 66, 67 and 68); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

    + + +##### Windows 95 and Windows 98 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base DSS Cryptographic Provider, Base Cryptographic Provider, DSS/Diffie-Hellman Enchanced Cryptographic Provider, and Enhanced Cryptographic Provider5.0.1877.6 and 5.0.1877.775

    FIPS Approved algorithms: Triple-DES (vendor affirmed); SHA-1 (Certs. #20 and 21); DSA/SHA-1 (Certs. #25 and 26); RSA (vendor- affirmed)

    +

    Other algorithms: DES (Certs. #61, 62, 63 and 64); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)

    + + +##### Windows NT 4.0 + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Base Cryptographic Provider5.0.1877.6 and 5.0.1877.768FIPS Approved algorithms: SHA-1 (Certs. #20 and 21); DSA/SHA- 1 (Certs. #25 and 26); RSA (vendor affirmed)
    +
    +Other algorithms: DES (Certs. #61, 62, 63 and 64); Triple-DES (allowed for US and Canadian Government use); RC2; RC4; MD2; MD4; MD5; Diffie-Hellman (key agreement)
    + + +#### Windows Server + +##### Windows Server 2016 + +Validated Editions: Standard, Datacenter, Storage Server + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)10.0.143932937FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
    Kernel Mode Cryptographic Primitives Library (cng.sys)10.0.143932936FIPS Approved algorithms: AES (Cert. #4064); DRBG (Cert. #1217); DSA (Cert. #1098); ECDSA (Cert. #911); HMAC (Cert. #2651); KAS (Cert. #92); KBKDF (Cert. #101); KTS (AES Cert. #4062; key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); PBKDF (vendor affirmed); RSA (Certs. #2192, #2193 and #2195); SHS (Cert. #3347); Triple-DES (Cert. #2227)
    +
    +Other algorithms: HMAC-MD5; MD5; NDRNG; DES; Legacy CAPI KDF; MD2; MD4; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager10.0.143932931

    FIPS Approved algorithms: AES (Certs. #4061 and #4064); HMAC (Cert. #2651); PBKDF (vendor affirmed); RSA (Cert. #2193); SHS (Cert. #3347)

    +

    Other algorithms: MD5; PBKDF (non-compliant); VMK KDF

    BitLocker® Windows OS Loader (winload)10.0.143932932FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: NDRNG; MD5
    BitLocker® Windows Resume (winresume)10.0.143932933FIPS Approved algorithms: AES (Certs. #4061 and #4064); RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)10.0.143932934FIPS Approved algorithms: AES (Certs. #4061 and #4064)
    Code Integrity (ci.dll)10.0.143932935FIPS Approved algorithms: RSA (Cert. #2193); SHS (Cert. #3347)
    +
    +Other algorithms: AES (non-compliant); MD5
    Secure Kernel Code Integrity (skci.dll)10.0.143932938FIPS Approved algorithms: RSA (Certs. #2193); SHS (Certs. #3347)
    +
    +Other algorithms: MD5
    + + +##### Windows Server 2012 R2 + +Validated Editions: Server, Storage Server, + +**StorSimple 8000 Series, Azure StorSimple Virtual Array Windows Server 2012 R2** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll)6.3.9600 6.3.9600.170312357FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); DSA (Cert. #855); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. #2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.3.9600 6.3.9600.170422356FIPS Approved algorithms: AES (Cert. #2832); DRBG (Certs. #489); ECDSA (Cert. #505); HMAC (Cert. #1773); KAS (Cert. #47); KBKDF (Cert. #30); PBKDF (vendor affirmed); RSA (Certs. #1487, #1493 and #1519); SHS (Cert. # 2373); Triple-DES (Cert. #1692)
    +
    +Other algorithms: AES (Cert. #2832, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); AES-GCM encryption (non-compliant); DES; HMAC MD5; Legacy CAPI KDF; MD2; MD4; MD5; NDRNG; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager6.3.9600 6.3.9600.170312351FIPS Approved algorithms: AES (Cert. #2832); HMAC (Cert. #1773); PBKDF (vendor affirmed); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5; KDF (non-compliant); PBKDF (non-compliant)
    BitLocker® Windows OS Loader (winload)6.3.9600 6.3.9600.170312352FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Cert. #2396)
    +
    +Other algorithms: MD5; NDRNG
    BitLocker® Windows Resume (winresume)[16]6.3.9600 6.3.9600.170312353FIPS Approved algorithms: AES (Cert. #2832); RSA (Cert. #1494); SHS (Certs. # 2373 and #2396)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (dumpfve.sys)[17]6.3.9600 6.3.9600.170312354FIPS Approved algorithms: AES (Cert. #2832)
    +
    +Other algorithms: N/A
    Code Integrity (ci.dll)6.3.9600 6.3.9600.170312355FIPS Approved algorithms: RSA (Cert. #1494); SHS (Cert. # 2373)
    +
    +Other algorithms: MD5
    + + +\[16\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +\[17\] Does not apply to **Azure StorSimple Virtual Array Windows Server 2012 R2** + +**Windows Server 2012** + +Validated Editions: Server, Storage Server + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Cryptographic Primitives Library (BCRYPTPRIMITIVES.DLL)6.2.92001892FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258); DSA (Cert. #687); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#687); ECDSA (Cert. ); HMAC (Cert. #); KAS (Cert. ); KBKDF (Cert. ); PBKDF (vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.2.92001891FIPS Approved algorithms: AES (Certs. #2197 and #2216); DRBG (Certs. #258 and #259); ECDSA (Cert. #341); HMAC (Cert. #1345); KAS (Cert. #36); KBKDF (Cert. #3); PBKDF (vendor affirmed); RNG (Cert. #1110); RSA (Certs. #1133 and #1134); SHS (Cert. #1903); Triple-DES (Cert. #1387)
    +
    +Other algorithms: AES (Cert. #2197, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)#1110); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (Cert. , key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Legacy CAPI KDF; MD2; MD4; MD5; HMAC MD5; RC2; RC4; RSA (encrypt/decrypt)
    Boot Manager6.2.92001895FIPS Approved algorithms: AES (Certs. #2196 and #2198); HMAC (Cert. #1347); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Windows OS Loader (WINLOAD)6.2.92001896FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: AES (Cert. #2197; non-compliant); MD5; Non-Approved RNG
    BitLocker® Windows Resume (WINRESUME)6.2.92001898FIPS Approved algorithms: AES (Certs. #2196 and #2198); RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    BitLocker® Dump Filter (DUMPFVE.SYS)6.2.92001899FIPS Approved algorithms: AES (Certs. #2196 and #2198)
    +
    +Other algorithms: N/A
    Code Integrity (CI.DLL)6.2.92001897FIPS Approved algorithms: RSA (Cert. #1132); SHS (Cert. #1903)
    +
    +Other algorithms: MD5
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH.DLL)6.2.92001893FIPS Approved algorithms: DSA (Cert. #686); SHS (Cert. #1902); Triple-DES (Cert. #1386); Triple-DES MAC (Triple-DES Cert. #1386, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4; Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced Cryptographic Provider (RSAENH.DLL)6.2.92001894FIPS Approved algorithms: AES (Cert. #2196); HMAC (Cert. #1346); RSA (Cert. #1132); SHS (Cert. #1902); Triple-DES (Cert. #1386)
    +
    +Other algorithms: AES (Cert. #2196, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); Triple-DES (Cert. #1386, key wrapping; key establishment methodology provides 112 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +##### Windows Server 2008 R2 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Boot Manager (bootmgr)6.1.7600.16385 or 6.1.7601.175146.1.7600.16385 or 6.1.7601.175141321FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); RSA (Cert. #568); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Winload OS Loader (winload.exe)6.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216756.1.7600.16385, 6.1.7600.16757, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21655 and 6.1.7601.216751333FIPS Approved algorithms: AES (Certs. #1168 and #1177); RSA (Cert. #568); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Code Integrity (ci.dll)6.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221086.1.7600.16385, 6.1.7600.17122, 6.1.7600.21320, 6.1.7601.17514, 6.1.7601.17950 and 6.1.7601.221081334FIPS Approved algorithms: RSA (Cert. #568); SHS (Cert. #1081)
    +
    +Other algorithms: MD5
    Kernel Mode Cryptographic Primitives Library (cng.sys)6.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220766.1.7600.16385, 6.1.7600.16915, 6.1.7600.21092, 6.1.7601.17514, 6.1.7601.17919, 6.1.7601.17725, 6.1.7601.21861 and 6.1.7601.220761335FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +-Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4
    Cryptographic Primitives Library (bcryptprimitives.dll)66.1.7600.16385 or 6.1.7601.1751466.1.7600.16385 or 6.1.7601.175141336FIPS Approved algorithms: AES (Certs. #1168 and #1177); AES GCM (Cert. #1168, vendor-affirmed); AES GMAC (Cert. #1168, vendor-affirmed); DRBG (Certs. #23 and #27); DSA (Cert. #391); ECDSA (Cert. #142); HMAC (Cert. #686); KAS (SP 800-56A, vendor affirmed, key agreement; key establishment methodology provides between 80 and 256 bits of encryption strength); RNG (Cert. #649); RSA (Certs. #559 and #567); SHS (Cert. #1081); Triple-DES (Cert. #846)
    +
    +Other algorithms: AES (Cert. #1168, key wrapping; key establishment methodology provides between 128 and 256 bits of encryption strength); DES; HMAC MD5; MD2; MD4; MD5; RC2; RC4
    Enhanced Cryptographic Provider (RSAENH)6.1.7600.163851337FIPS Approved algorithms: AES (Cert. #1168); DRBG (Cert. #23); HMAC (Cert. #687); SHS (Cert. #1081); RSA (Certs. #559 and #568); Triple-DES (Cert. #846)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.1.7600.163851338FIPS Approved algorithms: DSA (Cert. #390); RNG (Cert. #649); SHS (Cert. #1081); Triple-DES (Cert. #846); Triple-DES MAC (Triple-DES Cert. #846, vendor affirmed)
    +
    +Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman; MD5; RC2; RC2 MAC; RC4
    BitLocker™ Drive Encryption6.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216756.1.7600.16385, 6.1.7600.16429, 6.1.7600.16757, 6.1.7600.20536, 6.1.7600.20873, 6.1.7600.20897, 6.1.7600.20916, 6.1.7601.17514, 6.1.7601.17556, 6.1.7601.21634, 6.1.7601.21655 or 6.1.7601.216751339FIPS Approved algorithms: AES (Certs. #1168 and #1177); HMAC (Cert. #675); SHS (Cert. #1081)
    +
    +Other algorithms: Elephant Diffuser
    + + +##### Windows Server 2008 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Boot Manager (bootmgr)6.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224976.0.6001.18000, 6.0.6002.18005 and 6.0.6002.224971004FIPS Approved algorithms: AES (Certs. #739 and #760); HMAC (Cert. #415); RSA (Cert. #355); SHS (Cert. #753)
    +
    +Other algorithms: N/A
    Winload OS Loader (winload.exe)6.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225966.0.6001.18000, 6.0.6001.18606, 6.0.6001.22861, 6.0.6002.18005, 6.0.6002.18411, 6.0.6002.22497 and 6.0.6002.225961005FIPS Approved algorithms: AES (Certs. #739 and #760); RSA (Cert. #355); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Code Integrity (ci.dll)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051006FIPS Approved algorithms: RSA (Cert. #355); SHS (Cert. #753)
    +
    +Other algorithms: MD5
    Kernel Mode Security Support Provider Interface (ksecdd.sys)6.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228696.0.6001.18709, 6.0.6001.18272, 6.0.6001.18796, 6.0.6001.22202, 6.0.6001.22450, 6.0.6001.22987, 6.0.6001.23069, 6.0.6002.18005, 6.0.6002.18051, 6.0.6002.18541, 6.0.6002.18643, 6.0.6002.22152, 6.0.6002.22742 and 6.0.6002.228691007FIPS Approved algorithms: AES (Certs. #739 and #757); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90 AES-CTR, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
    +
    +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)#83); HMAC (Cert. ); RNG (Cert.  and SP800-90 AES-CTR, vendor affirmed); RSA (Certs.  and ); SHS (Cert. ); Triple-DES (Cert. )
    +
    +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; HMAC MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping: key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    Cryptographic Primitives Library (bcrypt.dll)6.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228726.0.6001.22202, 6.0.6002.18005 and 6.0.6002.228721008FIPS Approved algorithms: AES (Certs. #739 and #757); DSA (Cert. #284); ECDSA (Cert. #83); HMAC (Cert. #413); RNG (Cert. #435 and SP800-90, vendor affirmed); RSA (Certs. #353 and #358); SHS (Cert. #753); Triple-DES (Cert. #656)
    +
    +Other algorithms: AES (GCM and GMAC; non-compliant); DES; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 256 bits of encryption strength); MD2; MD4; MD5; RC2; RC4; RNG (SP 800-90 Dual-EC; non-compliant); RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant provides less than 112 bits of encryption strength)
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)6.0.6001.18000 and 6.0.6002.180056.0.6001.18000 and 6.0.6002.180051009FIPS Approved algorithms: DSA (Cert. #282); RNG (Cert. #435); SHS (Cert. #753); Triple-DES (Cert. #656); Triple-DES MAC (Triple-DES Cert. #656, vendor affirmed)
    +
    +-Other algorithms: DES; DES MAC; DES40; DES40 MAC; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC2 MAC; RC4
    Enhanced Cryptographic Provider (RSAENH)6.0.6001.22202 and 6.0.6002.180056.0.6001.22202 and 6.0.6002.180051010FIPS Approved algorithms: AES (Cert. #739); HMAC (Cert. #408); RNG (SP 800-90, vendor affirmed); RSA (Certs. #353 and #355); SHS (Cert. #753); Triple-DES (Cert. #656)
    +
    +Other algorithms: DES; MD2; MD4; MD5; RC2; RC4; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength)
    + + +##### Windows Server 2003 SP2 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.3959875

    FIPS Approved algorithms: DSA (Cert. #221); RNG (Cert. #314); RSA (Cert. #245); SHS (Cert. #611); Triple-DES (Cert. #543)

    +

    Other algorithms: DES; DES40; Diffie-Hellman (key agreement; key establishment methodology provides between 112 and 150 bits of encryption strength; non-compliant less than 112 bits of encryption strength); MD5; RC2; RC4

    Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.3959869

    FIPS Approved algorithms: HMAC (Cert. #287); RNG (Cert. #313); SHS (Cert. #610); Triple-DES (Cert. #542)

    +

    Other algorithms: DES; HMAC-MD5

    Enhanced Cryptographic Provider (RSAENH)5.2.3790.3959868

    FIPS Approved algorithms: AES (Cert. #548); HMAC (Cert. #289); RNG (Cert. #316); RSA (Cert. #245); SHS (Cert. #613); Triple-DES (Cert. #544)

    +

    Other algorithms: DES; RC2; RC4; MD2; MD4; MD5; RSA (key wrapping; key establishment methodology provides between 112 and 256 bits of encryption strength; non-compliant less than 112 bits of encryption strength)

    + + +##### Windows Server 2003 SP1 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.1830 [SP1]405

    FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

    +

    Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced Cryptographic Provider (RSAENH)5.2.3790.1830 [Service Pack 1])382

    FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

    +

    Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.1830 [Service Pack 1]381

    FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

    +

    Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    + + +##### Windows Server 2003 + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Kernel Mode Cryptographic Module (FIPS.SYS)5.2.3790.0405

    FIPS Approved algorithms: Triple-DES (Certs. #201[1] and #370[1]); SHS (Certs. #177[1] and #371[2])

    +

    Other algorithms: DES (Cert. #230[1]); HMAC-MD5; HMAC-SHA-1 (non-compliant)

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced Cryptographic Provider (RSAENH)5.2.3790.0382

    FIPS Approved algorithms: Triple-DES (Cert. #192[1] and #365[2]); AES (Certs. #80[1] and #290[2]); SHS (Cert. #176[1] and #364[2]); HMAC (Cert. #176, vendor affirmed[1] and #99[2]); RSA (PKCS#1, vendor affirmed[1] and #81[2])

    +

    Other algorithms: DES (Cert. #226[1]); SHA-256[1]; SHA-384[1]; SHA-512[1]; RC2; RC4; MD2; MD4; MD5

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH)5.2.3790.0381

    FIPS Approved algorithms: Triple-DES (Certs. #199[1] and #381[2]); SHA-1 (Certs. #181[1] and #385[2]); DSA (Certs. #95[1] and #146[2]); RSA (Cert. #81)

    +

    Other algorithms: DES (Cert. #229[1]); Diffie-Hellman (key agreement); RC2; RC4; MD5; DES 40

    +

    [1] x86
    +[2] SP1 x86, x64, IA64

    + + +#### Other Products + +##### Windows Embedded Compact 7 and Windows Embedded Compact 8 + + ++++++ + + + + + + + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced Cryptographic Provider7.00.2872 [1] and 8.00.6246 [2]2957

    FIPS Approved algorithms: AES (Certs.#4433and#4434); CKG (vendor affirmed); DRBG (Certs.#1432and#1433); HMAC (Certs.#2946and#2945); RSA (Certs.#2414and#2415); SHS (Certs.#3651and#3652); Triple-DES (Certs.#2383and#2384)

    +

    Allowed algorithms: HMAC-MD5; MD5; NDRNG

    Cryptographic Primitives Library (bcrypt.dll)7.00.2872 [1] and 8.00.6246 [2]2956

    FIPS Approved algorithms: AES (Certs.#4430and#4431); CKG (vendor affirmed); CVL (Certs.#1139and#1140); DRBG (Certs.#1429and#1430); DSA (Certs.#1187and#1188); ECDSA (Certs.#1072and#1073); HMAC (Certs.#2942and#2943); KAS (Certs.#114and#115); RSA (Certs.#2411and#2412); SHS (Certs.#3648and#3649); Triple-DES (Certs.#2381and#2382)

    +

    Allowed algorithms: MD5; NDRNG; RSA (key wrapping; key establishment methodology provides between 112 and 150 bits of encryption strength

    + + + +##### Windows CE 6.0 and Windows Embedded Compact 7 + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Enhanced Cryptographic Provider6.00.1937 [1] and 7.00.1687 [2]825

    FIPS Approved algorithms: AES (Certs. #516 [1] and #2024 [2]); HMAC (Certs. #267 [1] and #1227 [2]); RNG (Certs. #292 [1] and #1060 [2]); RSA (Cert. #230 [1] and #1052 [2]); SHS (Certs. #589 [1] and #1774 [2]); Triple-DES (Certs. #526 [1] and #1308 [2])

    +

    Other algorithms: MD5; HMAC-MD5; RC2; RC4; DES

    + + +##### Outlook Cryptographic Provider + + ++++++ + + + + + + + + + + + + + + +
    Cryptographic ModuleVersion (link to Security Policy)FIPS Certificate #Algorithms
    Outlook Cryptographic Provider (EXCHCSP)SR-1A (3821)SR-1A (3821)110

    FIPS Approved algorithms: Triple-DES (Cert. #18); SHA-1 (Certs. #32); RSA (vendor affirmed)

    +

    Other algorithms: DES (Certs. #91); DES MAC; RC2; MD2; MD5

    + +  + +### Cryptographic Algorithms + +The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate. + +### Advanced Encryption Standard (AES) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-OFB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +

    Microsoft Surface Hub Virtual TPM Implementations #4904

    +

    Version 10.0.15063.674

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-OFB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #4903

    +

    Version 10.0.16299

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CCM:
      • +
      • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
        • +
      • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CMAC:
      • +
      • +
      • Generation:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • Verification:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-GCM:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 96, 104, 112, 120, 128 (bits)
        • +
      • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • AAD Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • 96 bit IV supported
        • +
      • +
    • AES-XTS:
      • +
      • +
      • Key Size: 128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • Key Size: 256:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #4902

    +

    Version 10.0.15063.674

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CCM:
      • +
      • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
        • +
      • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CMAC:
      • +
      • +
      • Generation:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • Verification:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-GCM:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 96, 104, 112, 120, 128 (bits)
        • +
      • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • AAD Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • 96 bit IV supported
        • +
      • +
    • AES-XTS:
      • +
      • +
      • Key Size: 128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • Key Size: 256:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4901

    +

    Version 10.0.15254

      +
    • AES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CCM:
      • +
      • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 32, 48, 64, 80, 96, 112, 128 (bits)
        • +
      • IV Lengths: 56, 64, 72, 80, 88, 96, 104 (bits)
        • +
      • Plain Text Length: 0-32
        • +
      • AAD Length: 0-65536
        • +
      • +
    • AES-CFB128:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-CMAC:
      • +
      • +
      • Generation:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • Verification:
        • +
        • +
        • AES-128:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-192:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • AES-256:
          • +
          • +
          • Block Sizes: Full, Partial
            • +
          • Message Length: 0-65536
            • +
          • Tag Length: 16-16
            • +
          • +
        • +
      • +
    • AES-CTR:
      • +
      • +
      • Counter Source: Internal
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • +
    • AES-GCM:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • IV Generation: External
        • +
      • Key Lengths: 128, 192, 256 (bits)
        • +
      • Tag Lengths: 96, 104, 112, 120, 128 (bits)
        • +
      • Plain Text Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • AAD Lengths: 0, 8, 1016, 1024 (bits)
        • +
      • 96 bit IV supported
        • +
      • +
    • AES-XTS:
      • +
      • +
      • Key Size: 128:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • Key Size: 256:
        • +
        • +
        • Modes: Decrypt, Encrypt
          • +
        • Block Sizes: Full
          • +
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4897

    +

    Version 10.0.16299

    AES-KW:

    +
      +
    • Modes: Decrypt, Encrypt
      • +
    • CIPHK transformation direction: Forward
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
      • +
    +

    AES Val#4902

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #4900

    +

    Version 10.0.15063.674

    AES-KW:

    +
      +
    • Modes: Decrypt, Encrypt
      • +
    • CIPHK transformation direction: Forward
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
      • +
    +

    AES Val#4901

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #4899

    +

    Version 10.0.15254

    AES-KW:

    +
      +
    • Modes: Decrypt, Encrypt
      • +
    • CIPHK transformation direction: Forward
      • +
    • Key Lengths: 128, 192, 256 (bits)
      • +
    • Plain Text Lengths: 128, 192, 256, 320, 2048 (bits)
      • +
    +

    AES Val#4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #4898

    +

    Version 10.0.16299

    AES-CCM:

    +
      +
    • Key Lengths: 256 (bits)
      • +
    • Tag Lengths: 128 (bits)
      • +
    • IV Lengths: 96 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    +

    AES Val#4902

    Microsoft Surface Hub BitLocker(R) Cryptographic Implementations #4896

    +

    Version 10.0.15063.674

    AES-CCM:

    +
      +
    • Key Lengths: 256 (bits)
      • +
    • Tag Lengths: 128 (bits)
      • +
    • IV Lengths: 96 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    +

    AES Val#4901

    Windows 10 Mobile (version 1709) BitLocker(R) Cryptographic Implementations #4895

    +

    Version 10.0.15254

    AES-CCM:

    +
      +
    • Key Lengths: 256 (bits)
      • +
    • Tag Lengths: 128 (bits)
      • +
    • IV Lengths: 96 (bits)
      • +
    • Plain Text Length: 0-32
      • +
    • AAD Length: 0-65536
      • +
    +

    AES Val#4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); BitLocker(R) Cryptographic Implementations #4894

    +

    Version 10.0.16299

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    OFB ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #4627

    +

    Version 10.0.15063

    KW ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    AES Val#4624

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #4626

    +

    Version 10.0.15063

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#4624

    +

     

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile BitLocker(R) Cryptographic Implementations #4625

    +

    Version 10.0.15063

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    IV Generated: ( External ) ; PT Lengths Tested: ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 1024 , 8 , 1016 ) ; 96BitIV_Supported

    +

    GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #4624

    +

    Version 10.0.15063

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4434

    +

    Version 7.00.2872

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #4433

    +

    Version 8.00.6246

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4431

    +

    Version 7.00.2872

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #4430

    +

    Version 8.00.6246

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    OFB ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #4074

    +

    Version 10.0.14393

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #4064

    +

    Version 10.0.14393

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #4063
    +Version 10.0.14393

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 192 , 256 , 320 , 2048 )

    +

    AES Val#4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #4062

    +

    Version 10.0.14393

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#4064

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BitLocker® Cryptographic Implementations #4061

    +

    Version 10.0.14393

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    AES Val#3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #3652

    +

    Version 10.0.10586

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#3629

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BitLocker® Cryptographic Implementations #3653

    +

    Version 10.0.10586

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA32 Algorithm Implementations #3630
    +Version 10.0.10586

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #3629
    +
    +

    +

    Version 10.0.10586

    KW  ( AE , AD , AES-128 , AES-192 , AES-256 , FWD , 128 , 256 , 192 , 320 , 2048 )

    +

    AES Val#3497

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #3507

    +

    Version 10.0.10240

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#3497

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BitLocker® Cryptographic Implementations #3498

    +

    Version 10.0.10240

    ECB ( e/d; 128 , 192 , 256 ); CBC ( e/d; 128 , 192 , 256 ); CFB8 ( e/d; 128 , 192 , 256 ); CFB128 ( e/d; 128 , 192 , 256 ); CTR ( int only; 128 , 192 , 256 )

    +

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC(Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 0 , 0 ) ; 96BitIV_Supported
    +GMAC_Supported

    +

    XTS( (KS: XTS_128( (e/d) (f) ) KS: XTS_256( (e/d) (f) )

    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #3497
    +Version 10.0.10240

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #3476
    +Version 10.0.10240

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2853

    +

    Version 6.3.9600

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#2832

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BitLocker� Cryptographic Implementations #2848

    +

    Version 6.3.9600

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 0 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 192; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 ) (KS: 256; Block Size(s): Full / Partial ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 0 Max: 16 )

    +

    GCM (KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    (KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )

    +

    IV Generated:  ( Externally ) ; PT Lengths Tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested:  ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested:  ( 8 , 1024 ) ; 96BitIV_Supported ;
    +OtherIVLen_Supported
    +GMAC_Supported

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2832

    +

    Version 6.3.9600

    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    +AES Val#2197

    +

    CMAC (Generation/Verification ) (KS: 128; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 192; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 ) (KS: 256; Block Size(s): ; Msg Len(s) Min: 0 Max: 2^16 ; Tag Len(s) Min: 16 Max: 16 )
    +AES Val#2197

    +

    GCM(KS: AES_128( e/d ) Tag Length(s): 128 120 112 104 96 ) (KS: AES_192( e/d ) Tag Length(s): 128 120 112 104 96 )
    +(KS: AES_256( e/d ) Tag Length(s): 128 120 112 104 96 )
    +IV Generated: ( Externally ) ; PT Lengths Tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; AAD Lengths tested: ( 0 , 128 , 1024 , 8 , 1016 ) ; IV Lengths Tested: ( 8 , 1024 ) ; 96BitIV_Supported
    +GMAC_Supported

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #2216

    CCM (KS: 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 12 (Tag Length(s): 16 )

    +

    AES Val#2196

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #2198

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

    CFB128 ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #2197

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #2196
    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 – 0 , 2^16 ) (Payload Length Range: 0 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )
    +AES Val#1168

    Windows Server 2008 R2 and SP1 CNG algorithms #1187

    +

    Windows 7 Ultimate and SP1 CNG algorithms #1178

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )
    +AES Val#1168    		Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #1177

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    +

     

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168

    GCM

    +

    GMAC

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1168 , vendor-affirmed
    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #760
    CCM (KS: 128 , 192 , 256 ) (Assoc. Data Len Range: 0 - 0 , 2^16 ) (Payload Length Range: 1 - 32 ( Nonce Length(s): 7 8 9 10 11 12 13 (Tag Length(s): 4 6 8 10 12 14 16 )

    Windows Server 2008 CNG algorithms #757

    +

    Windows Vista Ultimate SP1 CNG algorithms #756

    CBC ( e/d; 128 , 256 );

    +

    CCM (KS: 128 , 256 ) (Assoc. Data Len Range: 0 - 8 ) (Payload Length Range: 4 - 32 ( Nonce Length(s): 7 8 12 13 (Tag Length(s): 4 6 8 14 16 )

    Windows Vista Ultimate BitLocker Drive Encryption #715

    +

    Windows Vista Ultimate BitLocker Drive Encryption #424

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CFB8 ( e/d; 128 , 192 , 256 );

    Windows Vista Ultimate SP1 and Windows Server 2008 Symmetric Algorithm Implementation #739

    +

    Windows Vista Symmetric Algorithm Implementation #553

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    +

    CTR ( int only; 128 , 192 , 256 )

    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #2023

    ECB ( e/d; 128 , 192 , 256 );

    +

    CBC ( e/d; 128 , 192 , 256 );

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #2024

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #818

    +

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #781

    +

    Windows 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #548

    +

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #516

    +

    Windows CE and Windows Mobile 6, 6.1, and 6.5 Enhanced Cryptographic Provider (RSAENH) #507

    +

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #290

    +

    Windows CE 5.0 and 5.1 Enhanced Cryptographic Provider (RSAENH) #224

    +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #80

    +

    Windows XP, SP1, and SP2 Enhanced Cryptographic Provider (RSAENH) #33

    + + +Deterministic Random Bit Generator (DRBG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function not used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4904

    Microsoft Surface Hub Virtual TPM Implementations #1734

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function not used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4903

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1733

    +

    Version 10.0.16299

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4902

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1732

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4901

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1731

    +

    Version 10.0.15254

      +
    • Counter:
      • +
      • +
      • Modes: AES-256
        • +
      • Derivation Function States: Derivation Function used
        • +
      • Prediction Resistance Modes: Not Enabled
        • +
      • +
    +

    Prerequisite: AES #4897

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1730

    +

    Version 10.0.16299

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4627 ) ]

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1556

    +

    Version 10.0.15063

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4624 ) ]

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1555

    +

    Version 10.0.15063

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4434 ) ]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1433

    +

    Version 7.00.2872

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4433 ) ]

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #1432

    +

    Version 8.00.6246

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4431 ) ]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1430

    +

    Version 7.00.2872

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4430 ) ]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1429

    +

    Version 8.00.6246

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#4074 ) ]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #1222

    +

    Version 10.0.14393

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#4064 ) ]

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #1217

    +

    Version 10.0.14393

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3629 ) ]

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #955

    +

    Version 10.0.10586

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#3497 ) ]

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #868

    +

    Version 10.0.10240

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2832 ) ]

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #489

    +

    Version 6.3.9600

    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_Use_df: ( AES-256 ) ( AES Val#2197 ) ]Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #258
    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#2023 ) ]Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #193
    CTR_DRBG: [ Prediction Resistance Tested: Not Enabled; BlockCipher_No_df: ( AES-256 ) ( AES Val#1168 ) ]Windows 7 Ultimate and SP1 and Windows Server 2008 R2 and SP1 RNG Library #23
    DRBG (SP 800–90)Windows Vista Ultimate SP1, vendor-affirmed
    + + +#### Digital Signature Algorithm (DSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • DSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • PQGGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • PQGVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • KeyPair:
          • +
          • +
          • L = 2048, N = 256
            • +
          • L = 3072, N = 256
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1303

    +

    Version 10.0.15063.674

      +
    • DSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • PQGGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • PQGVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • KeyPair:
          • +
          • +
          •  
            • +
          •  
            • +
          • L = 2048, N = 256
            • +
          • L = 3072, N = 256
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1302

    +

    Version 10.0.15254

      +
    • DSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • PQGGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • PQGVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigGen:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • SigVer:
          • +
          • +
          • L = 2048, N = 256 SHA: SHA-256
            • +
          • L = 3072, N = 256 SHA: SHA-256
            • +
          • +
        • KeyPair:
          • +
          • +
          • L = 2048, N = 256
            • +
          • L = 3072, N = 256
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1301

    +

    Version 10.0.16299

    FIPS186-4:

    +

    PQG(gen)PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    KeyPairGen:   [ (2048,256) ; (3072,256) ]

    +

    SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]

    +

    SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val#3790

    +

    DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1223

    +

    Version 10.0.15063

    FIPS186-4:
    +PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    +SHS: Val# 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1188

    +

    Version 7.00.2872

    FIPS186-4:
    +PQG(ver)PARMS TESTED:       [ (1024,160) SHA( 1 ); ]
    +SIG(ver)PARMS TESTED:   [ (1024,160) SHA( 1 ); ]
    +SHS: Val#3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1187

    +

    Version 8.00.6246

    FIPS186-4:
    +PQG(gen)    PARMS TESTED: [
    +(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ]
    +SIG(gen)PARMS TESTED:   [ (2048,256)
    +SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 3347
    +DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #1098

    +

    Version 10.0.14393

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ] PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 )]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ] SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 3047
    +DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #1024

    +

    Version 10.0.10586

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ]
    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ] SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 2886
    +DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #983

    +

    Version 10.0.10240

    FIPS186-4:
    +PQG(gen)    PARMS TESTED:   [
    +(2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED:   [ (2048,256)
    +SHA( 256 ); (3072,256) SHA( 256 ) ]
    +KeyPairGen:    [ (2048,256) ; (3072,256) ]
    +SIG(gen)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED:   [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]

    +

    SHS: Val# 2373
    +DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #855

    +

    Version 6.3.9600

    FIPS186-2:
    +PQG(ver) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: #1903
    +DRBG: #258

    +

    FIPS186-4:
    +PQG(gen)PARMS TESTED    : [ (2048,256)SHA( 256 ); (3072,256) SHA( 256 ) ]
    +PQG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +SIG(gen)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ); ]
    +SIG(ver)PARMS TESTED: [ (2048,256) SHA( 256 ); (3072,256) SHA( 256 ) ]
    +SHS: #1903
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#687.

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #687
    FIPS186-2:
    +PQG(ver)     MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: #1902
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#686.    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 DSS and Diffie-Hellman Enhanced Cryptographic Provider (DSSENH) #686
    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 1773
    +DRBG: Val# 193
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#645.    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #645
    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 1081
    +DRBG: Val# 23
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#391. See Historical DSA List Val#386.

    Windows Server 2008 R2 and SP1 CNG algorithms #391

    +

    Windows 7 Ultimate and SP1 CNG algorithms #386

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 1081
    +RNG: Val# 649
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#390. See Historical DSA List Val#385.

    Windows Server 2008 R2 and SP1 Enhanced DSS (DSSENH) #390

    +

    Windows 7 Ultimate and SP1 Enhanced DSS (DSSENH) #385

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 753
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#284. See Historical DSA List Val#283.

    Windows Server 2008 CNG algorithms #284

    +

    Windows Vista Ultimate SP1 CNG algorithms #283

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 753
    +RNG: Val# 435
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#282. See Historical DSA List Val#281.

    Windows Server 2008 Enhanced DSS (DSSENH) #282

    +

    Windows Vista Ultimate SP1 Enhanced DSS (DSSENH) #281

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 618
    +RNG: Val# 321
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#227. See Historical DSA List Val#226.

    Windows Vista CNG algorithms #227

    +

    Windows Vista Enhanced DSS (DSSENH) #226

    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 784
    +RNG: Val# 448
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#292.    		Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #292
    FIPS186-2:
    +SIG(ver)     MOD(1024);
    +SHS: Val# 783
    +RNG: Val# 447
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical DSA List Val#291.    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #291
    FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: Val# 611
    +RNG: Val# 314    		Windows 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #221
    FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: Val# 385    		Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #146
    FIPS186-2:
    +PQG(ver)     MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SIG(ver) MOD(1024);
    +SHS: Val# 181
    +
    +    		Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #95
    FIPS186-2:
    +PQG(gen)     MOD(1024);
    +PQG(ver) MOD(1024);
    +KEYGEN(Y) MOD(1024);
    +SIG(gen) MOD(1024);
    +SHS: SHA-1 (BYTE)
    +SIG(ver) MOD(1024);
    +SHS: SHA-1 (BYTE)

    Windows 2000 DSSENH.DLL #29

    +

    Windows 2000 DSSBASE.DLL #28

    +

    Windows NT 4 SP6 DSSENH.DLL #26

    +

    Windows NT 4 SP6 DSSBASE.DLL #25

    FIPS186-2: PRIME;
    +FIPS186-2:

    +

    KEYGEN(Y):
    +SHS: SHA-1 (BYTE)

    +

    SIG(gen):
    +SIG(ver)     MOD(1024);
    +SHS: SHA-1 (BYTE)

    		Windows NT 4.0 SP4 Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider #17
    + + +#### Elliptic Curve Digital Signature Algorithm (ECDSA) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #2373, DRBG #489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1263

    +

    Version 6.3.9600

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384
            • +
          • Generation Methods: Testing Candidates
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1734

    Microsoft Surface Hub Virtual TPM Implementations #1253

    +

    Version 10.0.15063.674

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384
            • +
          • Generation Methods: Testing Candidates
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1252

    +

    Version 10.0.16299

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1251

    +

    Version 10.0.15063.674

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1250

    +

    Version 10.0.15063.674

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1249

    +

    Version 10.0.15254

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1248

    +

    Version 10.0.15254

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1247

    +

    Version 10.0.16299

      +
    • ECDSA:
      • +
      • +
      • 186-4:
        • +
        • +
        • Key Pair Generation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • Generation Methods: Extra Random Bits
            • +
          • +
        • Public Key Validation:
          • +
          • +
          • Curves: P-256, P-384, P-521
            • +
          • +
        • Signature Generation:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • Signature Verification:
          • +
          • +
          • P-256 SHA: SHA-256
            • +
          • P-384 SHA: SHA-384
            • +
          • P-521 SHA: SHA-512
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1246

    +

    Version 10.0.16299

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 TestingCandidates )
    +SHS: Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1136

    +

    Version 10.0.15063

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1135

    +

    Version 10.0.15063

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1133

    +

    Version 10.0.15063

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    +SHS:Val# 3649
    +DRBG:Val# 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1073

    +

    Version 7.00.2872

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 384) P-521: (SHA-1, 512) )
    +SHS:Val#3648
    +DRBG:Val# 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1072

    +

    Version 8.00.6246

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 TestingCandidates )
    +PKV: CURVES( P-256 P-384 )
    +SigGen: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SigVer: CURVES( P-256: (SHA-1, 256) P-384: (SHA-1, 256, 384) )

    +

    SHS: Val# 3347
    +DRBG: Val# 1222

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #920

    +

    Version 10.0.14393

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +PKV: CURVES( P-256 P-384 P-521 )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val# 3347
    +DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #911

    +

    Version 10.0.14393

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val# 3047
    +DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #760

    +

    Version 10.0.10586

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val# 2886
    +DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #706

    +

    Version 10.0.10240

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )

    +

    SHS: Val#2373
    +DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #505

    +

    Version 6.3.9600

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: #1903
    +DRBG: #258
    +SIG(ver):CURVES( P-256 P-384 P-521 )
    +SHS: #1903
    +DRBG: #258

    +

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: #1903
    +DRBG: #258
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#341.

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #341

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#1773
    +DRBG: Val# 193
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#1773
    +DRBG: Val# 193

    +

    FIPS186-4:
    +PKG: CURVES    ( P-256 P-384 P-521 ExtraRandomBits )
    +SigGen: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512)
    +SigVer: CURVES( P-256: (SHA-256) P-384: (SHA-384) P-521: (SHA-512) )
    +SHS: Val#1773
    +DRBG: Val# 193
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#295.

    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #295
    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#1081
    +DRBG: Val# 23
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#1081
    +DRBG: Val# 23
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#142. See Historical ECDSA List Val#141.

    Windows Server 2008 R2 and SP1 CNG algorithms #142

    +

    Windows 7 Ultimate and SP1 CNG algorithms #141

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#753
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#753
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#83. See Historical ECDSA List Val#82.

    Windows Server 2008 CNG algorithms #83

    +

    Windows Vista Ultimate SP1 CNG algorithms #82

    FIPS186-2:
    +PKG: CURVES    ( P-256 P-384 P-521 )
    +SHS: Val#618
    +RNG: Val# 321
    +SIG(ver): CURVES( P-256 P-384 P-521 )
    +SHS: Val#618
    +RNG: Val# 321
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical ECDSA List Val#60.    		Windows Vista CNG algorithms #60
    + + +#### Keyed-Hash Message Authentication Code (HMAC) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4011

    Microsoft Surface Hub Virtual TPM Implementations #3271

    +

    Version 10.0.15063.674

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4009

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #3270

    +

    Version 10.0.16299

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-512:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4011

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #3269

    +

    Version 10.0.15063.674

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-512:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4010

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #3268

    +

    Version 10.0.15254

      +
    • HMAC-SHA-1:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-256:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-384:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    • HMAC-SHA2-512:
      • +
      • +
      • Key Sizes &lt; Block Size
        • +
      • Key Sizes &gt; Block Size
        • +
      • Key Sizes = Block Size
        • +
      • +
    +

    Prerequisite: SHS #4009

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #3267

    +

    Version 10.0.16299

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #3062

    +

    Version 10.0.15063

    HMAC-SHA1(Key Sizes Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3061

    +

    Version 10.0.15063

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3652

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3652

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2946

    +

    Version 7.00.2872

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3651

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3651

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2945

    +

    Version 8.00.6246

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3649

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3649

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal# 3649

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2943

    +

    Version 7.00.2872

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#3648

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#3648

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#3648

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2942

    +

    Version 8.00.6246

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHS Val# 3347

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3347

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2661

    +

    Version 10.0.14393

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2651

    +

    Version 10.0.14393

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHS Val# 3047

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3047

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3047

    +

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +SHS Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” SymCrypt Cryptographic Implementations #2381

    +

    Version 10.0.10586

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHSVal# 2886

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHSVal# 2886

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    + SHSVal# 2886

    +

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +SHSVal# 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2233

    +

    Version 10.0.10240

    HMAC-SHA1 (Key Sizes Ranges Tested:  KSBS )
    +SHS Val#2373

    +

    HMAC-SHA256 ( Key Size Ranges Tested:  KSBS )
    +SHS Val#2373

    +

    HMAC-SHA384 ( Key Size Ranges Tested:  KSBS )
    +SHS Val#2373

    +

    HMAC-SHA512 ( Key Size Ranges Tested:  KSBS )
    +SHS Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1773

    +

    Version 6.3.9600

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS Val#2764

    Windows CE and Windows Mobile, and Windows Embedded Handheld Enhanced Cryptographic Provider (RSAENH) #2122

    +

    Version 5.2.29344

    HMAC-SHA1 (Key Sizes Ranges Tested: KS#1902

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KS#1902

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 BitLocker® Cryptographic Implementations #1347

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHS#1902

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHS#1902

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1346

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )

    +

    SHS#1903

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )

    +

    SHS#1903

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS )

    +

    SHS#1903

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )

    +

    SHS#1903

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1345

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    Tinker HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1773

    		Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1364

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1774

    		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1227

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#1081

    Windows Server 2008 R2 and SP1 CNG algorithms #686

    +

    Windows 7 and SP1 CNG algorithms #677

    +

    Windows Server 2008 R2 Enhanced Cryptographic Provider (RSAENH) #687

    +

    Windows 7 Enhanced Cryptographic Provider (RSAENH) #673

    HMAC-SHA1(Key Sizes Ranges Tested: KSVal#1081

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#1081

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 BitLocker Algorithm Implementations #675

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#816

    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #452

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#753

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#753

    		Windows Vista Ultimate SP1 and Windows Server 2008 BitLocker Algorithm Implementations #415

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS )SHS Val#753

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #408

    +

    Windows Vista Enhanced Cryptographic Provider (RSAENH) #407

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS )SHSVal#618

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    		Windows Vista Enhanced Cryptographic Provider (RSAENH) #297
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#785

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #429

    +

    Windows XP, vendor-affirmed

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#783

    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #428

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#613

    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #289
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#610Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #287

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#753

    Windows Server 2008 CNG algorithms #413

    +

    Windows Vista Ultimate SP1 CNG algorithms #412

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#737

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#737

    		Windows Vista Ultimate BitLocker Drive Encryption #386

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#618

    		Windows Vista CNG algorithms #298

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS )SHSVal#589

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#589

    		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #267

    HMAC-SHA1 ( Key Sizes Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#578

    		Windows CE and Windows Mobile 6.0 and Windows Mobil 6.5 Enhanced Cryptographic Provider (RSAENH) #260

    HMAC-SHA1 (Key Sizes Ranges Tested: KSVal#495

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSVal#495

    		Windows Vista BitLocker Drive Encryption #199
    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#364

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #99

    +

    Windows XP, vendor-affirmed

    HMAC-SHA1 (Key Sizes Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA256 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA384 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    +

    HMAC-SHA512 ( Key Size Ranges Tested: KSBS ) SHSVal#305

    		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #31
    + + +#### Key Agreement Scheme (KAS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Full Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, ECDSA #1253, DRBG #1734

    Microsoft Surface Hub Virtual TPM Implementations #150

    +

    Version 10.0.15063.674

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Full Public Key Validation, Key Pair Generation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Full Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, ECDSA #1252, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #149

    +

    Version 10.0.16299

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Ephemeral Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • One Pass DH:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • Static Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, ECDSA #1250, DRBG #1732

    +
      +
    • KAS FFC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
        • +
      • Schemes:
        • +
        • +
        • dhEphem:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhOneFlow:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhStatic:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DSA #1303, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #148

    +

    Version 10.0.15063.674

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Ephemeral Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • One Pass DH:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • Static Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, ECDSA #1249, DRBG #1731

    +
      +
    • KAS FFC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
        • +
      • Schemes:
        • +
        • +
        • dhEphem:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhOneFlow:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhStatic:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DSA #1302, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #147

    +

    Version 10.0.15254

      +
    • KAS ECC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation, Public Key Regeneration
        • +
      • Schemes:
        • +
        • +
        • Ephemeral Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • KDFs: Concatenation
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • One Pass DH:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • Static Unified:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • EC:
              • +
              • +
              • Curve: P-256
                • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • ED:
              • +
              • +
              • Curve: P-384
                • +
              • SHA: SHA-384
                • +
              • MAC: HMAC
                • +
              • +
            • EE:
              • +
              • +
              • Curve: P-521
                • +
              • SHA: SHA-512
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, ECDSA #1246, DRBG #1730

    +
      +
    • KAS FFC:
      • +
      • +
      • Functions: Domain Parameter Generation, Domain Parameter Validation, Key Pair Generation, Partial Public Key Validation
        • +
      • Schemes:
        • +
        • +
        • dhEphem:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhOneFlow:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • dhStatic:
          • +
          • +
          • Key Agreement Roles: Initiator, Responder
            • +
          • Parameter Sets:
            • +
            • +
            • FB:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • FC:
              • +
              • +
              • SHA: SHA-256
                • +
              • MAC: HMAC
                • +
              • +
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DSA #1301, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #146

    +

    Version 10.0.16299

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration ) SCHEMES [ FullUnified ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ]

    +

    SHS Val#3790
    +DSA Val#1135
    +DRBG Val#1556

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #128

    +

    Version 10.0.15063

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +SHS Val#3790
    +DSA Val#1223
    +DRBG Val#1555

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +
    +SHS Val#3790
    +ECDSA Val#1133
    +DRBG Val#1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #127

    +

    Version 10.0.15063

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB: SHA256 ) ( FC: SHA256 ) ] [ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB: SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +SHS Val# 3649
    +DSA Val#1188
    +DRBG Val#1430

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #115

    +

    Version 7.00.2872

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhHybridOneFlow ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FB:SHA256 HMAC ) ( FC: SHA256   HMAC ) ]
    +SHS Val#3648
    +DSA Val#1187
    +DRBG Val#1429

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256   SHA256   HMAC ) ( ED: P-384   SHA384   HMAC ) ( EE: P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +
    +SHS Val#3648
    +ECDSA Val#1072
    +DRBG Val#1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #114

    +

    Version 8.00.6246

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Full Validation   Key Regeneration )
    +SCHEMES  [ FullUnified  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; &lt; KDF: CONCAT &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ]

    +

    SHS Val# 3347 ECDSA Val#920 DRBG Val#1222

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #93

    +

    Version 10.0.14393

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation )
    +SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic (No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val# 3347 DSA Val#1098 DRBG Val#1217

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val# 3347 DSA Val#1098 ECDSA Val#911 DRBG Val#1217 HMAC Val#2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #92

    +

    Version 10.0.14393

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val# 3047 DSA Val#1024 DRBG Val#955

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val# 3047 ECDSA Val#760 DRBG Val#955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #72

    +

    Version 10.0.10586

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val# 2886 DSA Val#983 DRBG Val#868

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val# 2886 ECDSA Val#706 DRBG Val#868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #64

    +

    Version 10.0.10240

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation ) SCHEMES  [ dhEphem  ( KARole(s): Initiator / Responder )
    +( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FB:  SHA256 ) ( FC:  SHA256 ) ] [ dhStatic ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( FB:  SHA256 HMAC ) ( FC:  SHA256   HMAC ) ]

    +

    SHS Val#2373 DSA Val#855 DRBG Val#489

    +

    ECC:  (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG   DPV   KPG   Partial Validation   Key Regeneration ) SCHEMES  [ EphemeralUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH  ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]
    +[ StaticUnified ( No_KC  &lt; KARole(s): Initiator / Responder &gt; ) ( EC:  P-256   SHA256   HMAC ) ( ED:  P-384   SHA384   HMAC ) ( EE:  P-521   HMAC (SHA512, HMAC_SHA512) ) ]

    +

    SHS Val#2373 ECDSA Val#505 DRBG Val#489

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #47

    +

    Version 6.3.9600

    FFC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation ) SCHEMES [ dhEphem ( KARole(s): Initiator / Responder )
    +( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhOneFlow ( KARole(s): Initiator / Responder ) ( FA: SHA256 ) ( FB: SHA256 ) ( FC: SHA256 ) ]
    +[ dhStatic ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( FA: SHA256 HMAC ) ( FB: SHA256 HMAC ) ( FC: SHA256 HMAC ) ]
    +SHS #1903 DSA Val#687 DRBG #258

    +

    ECC: (FUNCTIONS INCLUDED IN IMPLEMENTATION: DPG DPV KPG Partial Validation Key Regeneration ) SCHEMES [ EphemeralUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ) ]
    +[ OnePassDH( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 ) ( ED: P-384 SHA384 ) ( EE: P-521 (SHA512, HMAC_SHA512) ) ) ]
    +[ StaticUnified ( No_KC &lt; KARole(s): Initiator / Responder&gt; ) ( EC: P-256 SHA256 HMAC ) ( ED: P-384 SHA384 HMAC ) ( EE: P-521 HMAC (SHA512, HMAC_SHA512) ) ]
    +
    +SHS #1903 ECDSA Val#341 DRBG #258

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #36

    KAS (SP 800–56A)

    +

    key agreement

    +

    key establishment methodology provides 80 to 256 bits of encryption strength

    Windows 7 and SP1, vendor-affirmed

    +

    Windows Server 2008 R2 and SP1, vendor-affirmed

    + + +SP 800-108 Key-Based Key Derivation Functions (KBKDF) + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • Counter:
      • +
      • +
      • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
        • +
      • +
    +

    MAC prerequisite: HMAC #3271

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: DRBG #1734, KAS #150

    Microsoft Surface Hub Virtual TPM Implementations #161

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • MACs: HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384
        • +
      • +
    +

    MAC prerequisite: HMAC #3270

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: DRBG #1733, KAS #149

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #160

    +

    Version 10.0.16299

      +
    • Counter:
      • +
      • +
      • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
        • +
      • +
    +

    MAC prerequisite: AES #4902, HMAC #3269

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    • K prerequisite: KAS #148
      • +
    +

    Microsoft Surface Hub Cryptography Next Generation (CNG) Implementations #159

    +

    Version 10.0.15063.674

      +
    • Counter:
      • +
      • +
      • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
        • +
      • +
    +

    MAC prerequisite: AES #4901, HMAC #3268

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: KAS #147

    Windows 10 Mobile (version 1709) Cryptography Next Generation (CNG) Implementations #158

    +

    Version 10.0.15254

      +
    • Counter:
      • +
      • +
      • MACs: CMAC-AES-128, CMAC-AES-192, CMAC-AES-256, HMAC-SHA-1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512
        • +
      • +
    +

    MAC prerequisite: AES #4897, HMAC #3267

    +
    +
      +
    • Counter Location: Before Fixed Data
      • +
    • R Length: 32 (bits)
      • +
    • SPs used to generate K: SP 800-56A, SP 800-90A
      • +
    +
    +

    K prerequisite: KAS #146

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Cryptography Next Generation (CNG) Implementations #157

    +

    Version 10.0.16299

    CTR_Mode: ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +
    +KAS Val#128
    +DRBG Val#1556
    +MAC Val#3062

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #141

    +

    Version 10.0.15063

    CTR_Mode: ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )
    +
    +KAS Val#127
    +AES Val#4624
    +DRBG Val#1555
    +MAC Val#3061

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile Cryptography Next Generation (CNG) Implementations #140

    +

    Version 10.0.15063

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA384] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#93 DRBG Val#1222 MAC Val#2661

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #102

    +

    Version 10.0.14393

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#92 AES Val#4064 DRBG Val#1217 MAC Val#2651

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #101

    +

    Version 10.0.14393

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#72 AES Val#3629 DRBG Val#955 MAC Val#2381

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #72

    +

    Version 10.0.10586

    CTR_Mode:  ( Llength( Min20 Max64 ) MACSupported( [CMACAES128] [CMACAES192] [CMACAES256] [HMACSHA1] [HMACSHA256] [HMACSHA384] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    KAS Val#64 AES Val#3497 RBG Val#868 MAC Val#2233

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #66

    +

    Version 10.0.10240

    CTR_Mode:  ( Llength( Min0 Max0 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    DRBG Val#489 MAC Val#1773

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #30

    +

    Version 6.3.9600

    CTR_Mode: ( Llength( Min0 Max4 ) MACSupported( [HMACSHA1] [HMACSHA256] [HMACSHA512] ) LocationCounter( [BeforeFixedData] ) rlength( [32] ) )

    +

    DRBG #258 HMAC Val#1345

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #3
    + + +Random Number Generator (RNG) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #

    FIPS 186-2 General Purpose

    +

    [ (x-Original); (SHA-1) ]

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1110
    FIPS 186-2
    +[ (x-Original); (SHA-1) ]

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1060

    +

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #292

    +

    Windows CE and Windows Mobile 6.0 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #286

    +

    Windows CE 5.00 and Window CE 5.01 Enhanced Cryptographic Provider (RSAENH) #66

    FIPS 186-2
    +[ (x-Change Notice); (SHA-1) ]

    +

    FIPS 186-2 General Purpose
    +[ (x-Change Notice); (SHA-1) ]

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 RNG Library #649

    +

    Windows Vista Ultimate SP1 and Windows Server 2008 RNG Implementation #435

    +

    Windows Vista RNG implementation #321

    FIPS 186-2 General Purpose
    +[ (x-Change Notice); (SHA-1) ]

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #470

    +

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #449

    +

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #447

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #316

    +

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #313

    FIPS 186-2
    +[ (x-Change Notice); (SHA-1) ]

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #448

    +

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #314

    + + +#### RSA + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1734

    Microsoft Surface Hub Virtual TPM Implementations #2677

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 240 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1733

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #2676

    +

    Version 10.0.16299

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub RSA32 Algorithm Implementations #2675

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); RSA32 Algorithm Implementations #2674

    +

    Version 10.0.16299

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) RSA32 Algorithm Implementations #2673

    +

    Version 10.0.15254

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Public Key Exponent: Fixed (10001)
          • +
        • Provable Primes with Conditions:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.3
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub MsBignum Cryptographic Implementations #2672

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Probable Random Primes:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.2
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #2671

    +

    Version 10.0.15063.674

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Probable Random Primes:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.2
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2670

    +

    Version 10.0.15254

    RSA:

    +
      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Public Key Exponent: Fixed (10001)
          • +
        • Provable Primes with Conditions:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.3
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, DRBG #1731

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #2669

    +

    Version 10.0.15254

      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Public Key Exponent: Fixed (10001)
          • +
        • Provable Primes with Conditions:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.3
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #2668

    +

    Version 10.0.16299

      +
    • 186-4:
      • +
      • +
      • Key Generation:
        • +
        • +
        • Probable Random Primes:
          • +
          • +
          • Mod lengths: 2048, 3072 (bits)
            • +
          • Primality Tests: C.2
            • +
          • +
        • +
      • Signature Generation PKCS1.5:
        • +
        • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Generation PSS:
        • +
        • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • Signature Verification PKCS1.5:
        • +
        • +
        • Mod 1024 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 2048 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • Mod 3072 SHA: SHA-1, SHA-256, SHA-384, SHA-512
          • +
        • +
      • Signature Verification PSS:
        • +
        • +
        • Mod 1024:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 496 (bits)
            • +
          • +
        • Mod 2048:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • Mod 3072:
          • +
          • +
          • SHA-1: Salt Length: 160 (bits)
            • +
          • SHA-256: Salt Length: 256 (bits)
            • +
          • SHA-384: Salt Length: 384 (bits)
            • +
          • SHA-512: Salt Length: 512 (bits)
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2667

    +

    Version 10.0.16299

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))
    +SHA Val#3790

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #2524

    +

    Version 10.0.15063

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile RSA32 Algorithm Implementations #2523

    +

    Version 10.0.15063

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +SHA Val#3790
    +DRBG: Val# 1555

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #2522

    +

    Version 10.0.15063

    FIPS186-4:
    +186-4KEY(gen):
    +PGM(ProbRandom:     ( 2048 , 3072 ) PPTT:( C.2 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +SHA Val#3790

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2521

    +

    Version 10.0.15063

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3652, SHA-256Val#3652, SHA-384Val#3652, SHA-512Val#3652

    +

    FIPS186-4:
    +ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3652

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2415

    +

    Version 7.00.2872

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 4096 , SHS: SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3651, SHA-256Val#3651, SHA-384Val#3651, SHA-512Val#3651

    +

    FIPS186-4:
    +ALG[ANSIX9.31]     Sig(Gen): (2048 SHA( 1 )) (3072 SHA( 1 ))
    +SIG(gen) with SHA-1 affirmed for use with protocols only.     Sig(Ver): (1024 SHA( 1 )) (2048 SHA( 1 )) (3072 SHA( 1 ))
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3651

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2414

    +

    Version 8.00.6246

    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val# 3649 , SHA-256Val# 3649 , SHA-384Val# 3649 , SHA-512Val# 3649

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val# 3649
    +DRBG: Val# 1430

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2412

    +

    Version 7.00.2872

    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 4096 , SHS: SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#3648, SHA-256Val#3648, SHA-384Val#3648, SHA-512Val#3648

    +

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e (10001) ;
    +PGM(ProbRandom: ( 2048 , 3072 ) PPTT:( C.2 )
    +ALG[RSASSA-PKCS1_V1_5] SIG(gen) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))
    +SHA Val#3648
    +DRBG: Val# 1429

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2411

    +

    Version 8.00.6246

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 1 , 256 , 384 )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 )) (2048 SHA( 1 , 256 , 384 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) SIG(gen) with SHA-1 affirmed for use with protocols only.
    +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) ))

    +

    SHA Val# 3347

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #2206

    +

    Version 10.0.14393

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA Key Generation Implementation #2195

    +

    Version 10.0.14393

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#3346

    soft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #2194

    +

    Version 10.0.14393

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #2193

    +

    Version 10.0.14393

    FIPS186-4:
    +[RSASSA-PSS]: Sig(Gen):     (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val# 3347 DRBG: Val# 1217

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #2192

    +

    Version 10.0.14393

    FIPS186-4:
    +186-4KEY(gen)    :  FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val# 3047 DRBG: Val# 955

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” RSA Key Generation Implementation #1889

    +

    Version 10.0.10586

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#3048

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #1871

    +

    Version 10.0.10586

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub MsBignum Cryptographic Implementations #1888

    +

    Version 10.0.10586

    FIPS186-4:
    +[RSASSA-PSS]: Sig(Gen)    : (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val# 3047

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub Cryptography Next Generation (CNG) Implementations #1887

    +

    Version 10.0.10586

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ( 10001 ) ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val# 2886 DRBG: Val# 868

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA Key Generation Implementation #1798

    +

    Version 10.0.10240

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #1784

    +

    Version 10.0.10240

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2871

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #1783

    +

    Version 10.0.10240

    FIPS186-4:
    +[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    +Sig(Ver): (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val# 2886

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #1802

    +

    Version 10.0.10240

    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e ;
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )

    +

    SHA Val#2373 DRBG: Val# 489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 RSA Key Generation Implementation #1487

    +

    Version 6.3.9600

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #1494

    +

    Version 6.3.9600

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5    ] SIG(gen) (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 ))

    +

    SHA Val#2373

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1493

    +

    Version 6.3.9600

    FIPS186-4:
    +[RSASSA-PSS]:     Sig(Gen): (2048 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))
    + Sig(Ver): (1024 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 62 ) )) (2048 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) )) (3072 SHA( 1 SaltLen( 20 ) , 256 SaltLen( 32 ) , 384 SaltLen( 48 ) , 512 SaltLen( 64 ) ))

    +

    SHA Val#2373

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 Cryptography Next Generation Cryptographic Implementations #1519

    +

    Version 6.3.9600

    FIPS186-4:
    +ALG[RSASSA-PKCS1_V1_5]     SIG(gen) (2048 SHA( 256 , 384 , 512-256 )) (3072 SHA( 256 , 384 , 512-256 ))
    +SIG(Ver) (1024 SHA( 1 , 256 , 384 , 512-256 )) (2048 SHA( 1 , 256 , 384 , 512-256 )) (3072 SHA( 1 , 256 , 384 , 512-256 ))
    +[RSASSA-PSS]: Sig(Gen): (2048 SHA( 256 , 384 , 512 )) (3072 SHA( 256 , 384 , 512 ))
    +Sig(Ver): (1024 SHA( 1 , 256 , 384 , 512 )) (2048 SHA( 1 , 256 , 384 , 512 )) (3072 SHA( 1 , 256 , 384 , 512 , 512 ))
    +SHA #1903

    +

    Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1134.

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG) Implementations #1134
    FIPS186-4:
    +186-4KEY(gen):     FIPS186-4_Fixed_e , FIPS186-4_Fixed_e_Value
    +PGM(ProbPrimeCondition): 2048 , 3072 PPTT:( C.3 )
    +SHA #1903 DRBG: #258    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 RSA Key Generation Implementation #1133
    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: #258
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256#1902, SHA-384#1902, SHA-512#1902,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1#1902, SHA-256#1902, SHA-#1902, SHA-512#1902,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1132.    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Enhanced Cryptographic Provider (RSAENH) #1132
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1774, SHA-256Val#1774, SHA-384Val#1774, SHA-512Val#1774,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1052.    		Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1052
    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 193
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1773, SHA-256Val#1773, SHA-384Val#1773, SHA-512Val#1773,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#1051.    		Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1051
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#568.    		Windows Server 2008 R2 and SP1 Enhanced Cryptographic Provider (RSAENH) #568
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#567. See Historical RSA List Val#560.

    Windows Server 2008 R2 and SP1 CNG algorithms #567

    +

    Windows 7 and SP1 CNG algorithms #560

    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 DRBG: Val# 23
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#559.    		Windows 7 and SP1 and Server 2008 R2 and SP1 RSA Key Generation Implementation #559
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#1081, SHA-256Val#1081, SHA-384Val#1081, SHA-512Val#1081,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#557.    		Windows 7 and SP1 Enhanced Cryptographic Provider (RSAENH) #557
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#816, SHA-256Val#816, SHA-384Val#816, SHA-512Val#816,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#395.    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #395
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#783
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#783, SHA-384Val#783, SHA-512Val#783,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#371.    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #371
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#358. See Historical RSA List Val#357.

    Windows Server 2008 CNG algorithms #358

    +

    Windows Vista SP1 CNG algorithms #357

    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#753, SHA-256Val#753, SHA-384Val#753, SHA-512Val#753,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#355. See Historical RSA List Val#354.

    Windows Server 2008 Enhanced Cryptographic Provider (RSAENH) #355

    +

    Windows Vista SP1 Enhanced Cryptographic Provider (RSAENH) #354

    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#353.    		Windows Vista SP1 and Windows Server 2008 RSA Key Generation Implementation #353
    FIPS186-2:
    +ALG[ANSIX9.31]:     Key(gen)(MOD: 2048 , 3072 , 4096 PubKey Values: 65537 RNG: Val# 321
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#258.    		Windows Vista RSA key generation implementation #258
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +ALG[RSASSA-PSS]: SIG(gen); 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#257.    		Windows Vista CNG algorithms #257
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:     SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#618, SHA-256Val#618, SHA-384Val#618, SHA-512Val#618,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#255.    		Windows Vista Enhanced Cryptographic Provider (RSAENH) #255
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#613, SHA-256Val#613, SHA-384Val#613, SHA-512Val#613,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#245.    		Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #245
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#589, SHA-256Val#589, SHA-384Val#589, SHA-512Val#589,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#230.    		Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #230
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#578, SHA-256Val#578, SHA-384Val#578, SHA-512Val#578,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#222.    		Windows CE and Windows Mobile 6 and Windows Mobile 6.1 Enhanced Cryptographic Provider (RSAENH) #222
    FIPS186-2:
    +ALG[RSASSA-PKCS1_V1_5]:
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#364
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#81.    		Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #81
    FIPS186-2:
    +ALG[ANSIX9.31]:
    +SIG(ver); 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305
    +ALG[RSASSA-PKCS1_V1_5]: SIG(gen) 2048 , 3072 , 4096 , SHS: SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    +SIG(ver): 1024 , 1536 , 2048 , 3072 , 4096 , SHS: SHA-1Val#305, SHA-256Val#305, SHA-384Val#305, SHA-512Val#305,
    +Some of the previously validated components for this validation have been removed because they are now non-compliant per the SP800-131A transition. See Historical RSA List Val#52.    		Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #52

    FIPS186-2:

    +

    – PKCS#1 v1.5, signature generation and verification

    +

    – Mod sizes: 1024, 1536, 2048, 3072, 4096

    +

    – SHS: SHA–1/256/384/512

    Windows XP, vendor-affirmed

    +

    Windows 2000, vendor-affirmed

    + + +#### Secure Hash Standard (SHS) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • SHA-1:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-256:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-384:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-512:
      • +
      • +
      • Supports Empty Message
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #4011

    +

    Version 10.0.15063.674

      +
    • SHA-1:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-256:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-384:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-512:
      • +
      • +
      • Supports Empty Message
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #4010

    +

    Version 10.0.15254

      +
    • SHA-1:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-256:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-384:
      • +
      • +
      • Supports Empty Message
        • +
      • +
    • SHA-512:
      • +
      • +
      • Supports Empty Message
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #4009

    +

    Version 10.0.16299

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #3790

    +

    Version 10.0.15063

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3652

    +

    Version 7.00.2872

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #3651

    +

    Version 8.00.6246

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3649

    +

    Version 7.00.2872

    SHA-1      (BYTE-only)
    +SHA-256  (BYTE-only)
    +SHA-384  (BYTE-only)
    +SHA-512  (BYTE-only)

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #3648

    +

    Version 8.00.6246

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #3347
    +Version 10.0.14393
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update RSA32 Algorithm Implementations #3346
    +Version 10.0.14393
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub RSA32 Algorithm Implementations #3048
    +Version 10.0.10586
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #3047
    +Version 10.0.10586
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #2886
    +Version 10.0.10240
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 RSA32 Algorithm Implementations #2871
    +Version 10.0.10240
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry RSA32 Algorithm Implementations #2396
    +Version 6.3.9600
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #2373
    +Version 6.3.9600

    SHA-1 (BYTE-only)

    +

    SHA-256 (BYTE-only)

    +

    SHA-384 (BYTE-only)

    +

    SHA-512 (BYTE-only)

    +

    Implementation does not support zero-length (null) messages.

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1903

    +

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1902

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1774

    +

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1773

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows 7and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #1081

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #816

    SHA-1 (BYTE-only)

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #785

    +

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #784

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)    		Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #783
    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #753

    +

    Windows Vista Symmetric Algorithm Implementation #618

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)

    Windows Vista BitLocker Drive Encryption #737

    +

    Windows Vista Beta 2 BitLocker Drive Encryption #495

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #613

    +

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #364

    SHA-1 (BYTE-only)

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #611

    +

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #610

    +

    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #385

    +

    Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #371

    +

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #181

    +

    Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #177

    +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #176

    SHA-1 (BYTE-only)
    +SHA-256 (BYTE-only)
    +SHA-384 (BYTE-only)
    +SHA-512 (BYTE-only)

    Windows CE 6.0 and Windows CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #589

    +

    Windows CE and Windows Mobile 6 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #578

    +

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #305

    SHA-1 (BYTE-only)

    Windows XP Microsoft Enhanced Cryptographic Provider #83

    +

    Crypto Driver for Windows 2000 (fips.sys) #35

    +

    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #32

    +

    Windows 2000 RSAENH.DLL #24

    +

    Windows 2000 RSABASE.DLL #23

    +

    Windows NT 4 SP6 RSAENH.DLL #21

    +

    Windows NT 4 SP6 RSABASE.DLL #20

    + + +#### Triple DES + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Modes / States / Key SizesAlgorithm Implementation and Certificate #
      +
    • TDES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB64:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #2558

    +

    Version 10.0.15063.674

      +
    • TDES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB64:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #2557

    +

    Version 10.0.15254

      +
    • TDES-CBC:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB64:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-CFB8:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +
    • TDES-ECB:
      • +
      • +
      • Modes: Decrypt, Encrypt
        • +
      • Keying Option: 1
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #2556

    +

    Version 10.0.16299

    TECB( KO 1 e/d, ) ; TCBC( KO 1 e/d, ) ; TCFB8( KO 1 e/d, ) ; TCFB64( KO 1 e/d, )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #2459

    +

    Version 10.0.15063

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, )

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2384

    +

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, )

    Windows Embedded Compact Enhanced Cryptographic Provider (RSAENH) #2383

    +

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    CTR ( int only )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2382

    +

    Version 7.00.2872

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, )

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #2381

    +

    Version 8.00.6246

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update SymCrypt Cryptographic Implementations #2227
    +
    +

    +

    Version 10.0.14393

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub and Surface Hub SymCrypt Cryptographic Implementations #2024
    +
    +

    +

    Version 10.0.10586

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 SymCrypt Cryptographic Implementations #1969
    +
    +

    +

    Version 10.0.10240

    TECB( KO 1 e/d, ) ;

    +

    TCBC( KO 1 e/d, ) ;

    +

    TCFB8( KO 1 e/d, ) ;

    +

    TCFB64( KO 1 e/d, )

    Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 SymCrypt Cryptographic Implementations #1692

    +

    Version 6.3.9600

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 ) ;

    +

    TCFB64( e/d; KO 1,2 )

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Next Generation Symmetric Cryptographic Algorithms Implementations (SYMCRYPT) #1387

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Symmetric Algorithm Implementations (RSA32) #1386

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows 7 and SP1 and Windows Server 2008 R2 and SP1 Symmetric Algorithm Implementation #846

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows Vista SP1 and Windows Server 2008 Symmetric Algorithm Implementation #656

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 ) ;

    +

    TCFB8( e/d; KO 1,2 )

    		Windows Vista Symmetric Algorithm Implementation #549
    Triple DES MAC

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 #1386, vendor-affirmed

    +

    Windows 7 and SP1 and Windows Server 2008 R2 and SP1 #846, vendor-affirmed

    TECB( e/d; KO 1,2 ) ;

    +

    TCBC( e/d; KO 1,2 )

    Windows Embedded Compact 7 Enhanced Cryptographic Provider (RSAENH) #1308

    +

    Windows Embedded Compact 7 Cryptographic Primitives Library (bcrypt.dll) #1307

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #691

    +

    Windows XP Professional SP3 Kernel Mode Cryptographic Module (fips.sys) #677

    +

    Windows XP Professional SP3 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #676

    +

    Windows XP Professional SP3 Enhanced Cryptographic Provider (RSAENH) #675

    +

    Windows Server 2003 SP2 Enhanced Cryptographic Provider (RSAENH) #544

    +

    Windows Server 2003 SP2 Enhanced DSS and Diffie-Hellman Cryptographic Provider #543

    +

    Windows Server 2003 SP2 Kernel Mode Cryptographic Module (fips.sys) #542

    +

    Windows CE 6.0 and Window CE 6.0 R2 and Windows Mobile Enhanced Cryptographic Provider (RSAENH) #526

    +

    Windows CE and Windows Mobile 6 and Windows Mobile 6.1 and Windows Mobile 6.5 Enhanced Cryptographic Provider (RSAENH) #517

    +

    Windows Server 2003 SP1 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #381

    +

    Windows Server 2003 SP1 Kernel Mode Cryptographic Module (fips.sys) #370

    +

    Windows Server 2003 SP1 Enhanced Cryptographic Provider (RSAENH) #365

    +

    Windows CE 5.00 and Windows CE 5.01 Enhanced Cryptographic Provider (RSAENH) #315

    +

    Windows Server 2003 Kernel Mode Cryptographic Module (fips.sys) #201

    +

    Windows Server 2003 Enhanced DSS and Diffie-Hellman Cryptographic Provider (DSSENH) #199

    +

    Windows Server 2003 Enhanced Cryptographic Provider (RSAENH) #192

    +

    Windows XP Microsoft Enhanced Cryptographic Provider #81

    +

    Windows 2000 Microsoft Outlook Cryptographic Provider (EXCHCSP.DLL) SR-1A (3821) #18

    +

    Crypto Driver for Windows 2000 (fips.sys) #16

    + + +#### SP 800-132 Password Based Key Derivation Function (PBKDF) + + + + + + + + + + + + + + +
    + Modes / States / Key Sizes + + Algorithm Implementation and Certificate # +
    + PBKDF (vendor affirmed) +

     Kernel Mode Cryptographic Primitives Library (cng.sys) Cryptographic Primitives Library (bcryptprimitives.dll and ncryptsslp.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2937
    (Software Version: 10.0.14393)

    +

    Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
    (Software Version: 10.0.14393)

    +

    Code Integrity (ci.dll) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2935
    (Software Version: 10.0.14393)

    +

    Boot Manager in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2931
    (Software Version: 10.0.14393)

    +
    + PBKDF (vendor affirmed) +

    Kernel Mode Cryptographic Primitives Library (cng.sys) in Microsoft Windows 10, Windows 10 Pro, Windows 10 Enterprise, Windows 10 Enterprise LTSB, Windows 10 Mobile, Windows Server 2016 Standard, Windows Server 2016 Datacenter, Windows Storage Server 2016 #2936
    (Software Version: 10.0.14393)

    +

    Windows 8, Windows RT, Windows Server 2012, Surface Windows RT, Surface Windows 8 Pro, and Windows Phone 8 Cryptography Next Generation (CNG), vendor-affirmed

    +
    + + +#### Component Validation List + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Publication / Component Validated / DescriptionImplementation and Certificate #
      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #489

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #1540

    +

    Version 6.3.9600

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Microsoft Surface Hub Virtual TPM Implementations #1519

    +

    Version 10.0.15063.674

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); Virtual TPM Implementations #1518

    +

    Version 10.0.16299

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1517

    +

    Version 10.0.15063.674

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1516

    +

    Version 10.0.15063.674

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

     Prerequisite: DRBG #1732

    Microsoft Surface Hub MsBignum Cryptographic Implementations #1515

    +

    Version 10.0.15063.674

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1732

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1514

    +

    Version 10.0.15063.674

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1513

    +

    Version 10.0.15063.674

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1512

    +

    Version 10.0.15063.674

      +
    • IKEv1:
      • +
      • +
      • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
        • +
      • Pre-shared Key Length: 64-2048
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, HMAC #3269

    +
      +
    • IKEv2:
      • +
      • +
      • Derived Keying Material length: 192-1792
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, HMAC #3269

    +
      +
    • TLS:
      • +
      • +
      • Supports TLS 1.0/1.1
        • +
      • Supports TLS 1.2:
        • +
        • +
        • SHA Functions: SHA-256, SHA-384
          • +
        • +
      • +
    +

    Prerequisite: SHS #4011, HMAC #3269

    Microsoft Surface Hub SymCrypt Cryptographic Implementations #1511

    +

    Version 10.0.15063.674

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1731

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1510

    +

    Version 10.0.15254

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1509

    +

    Version 10.0.15254

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1508

    +

    Version 10.0.15254

      +
    • IKEv1:
      • +
      • +
      • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
        • +
      • Pre-shared Key Length: 64-2048
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, HMAC #3268

    +
      +
    • IKEv2:
      • +
      • +
      • Derived Keying Material length: 192-1792
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, HMAC #3268

    +
      +
    • TLS:
      • +
      • +
      • Supports TLS 1.0/1.1
        • +
      • Supports TLS 1.2:
        • +
        • +
        • SHA Functions: SHA-256, SHA-384
          • +
        • +
      • +
    +

    Prerequisite: SHS #4010, HMAC #3268

    Windows 10 Mobile (version 1709) SymCrypt Cryptographic Implementations #1507

    +

    Version 10.0.15254

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1731

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1506

    +

    Version 10.0.15254

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1505

    +

    Version 10.0.15254

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Mobile (version 1709) MsBignum Cryptographic Implementations #1504

    +

    Version 10.0.15254

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1503

    +

    Version 10.0.16299

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1502

    +

    Version 10.0.16299

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); MsBignum Cryptographic Implementations #1501

    +

    Version 10.0.16299

      +
    • ECDSA SigGen:
      • +
      • +
      • P-256 SHA: SHA-256
        • +
      • P-384 SHA: SHA-384
        • +
      • P-521 SHA: SHA-512
        • +
      • +
    +

    Prerequisite: DRBG #1730

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1499

    +

    Version 10.0.16299

      +
    • RSADP:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations #1498

    +

    Version 10.0.16299

    +

     

      +
    • RSASP1:
      • +
      • +
      • Modulus Size: 2048 (bits)
        • +
      • Padding Algorithms: PKCS 1.5
        • +
      • +

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1497

    +

    Version 10.0.16299

      +
    • IKEv1:
      • +
      • +
      • Methods: Digital Signature, Pre-shared Key, Public Key Encryption
        • +
      • Pre-shared Key Length: 64-2048
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, HMAC #3267

    +
      +
    • IKEv2:
      • +
      • +
      • Derived Keying Material length: 192-1792
        • +
      • Diffie-Hellman shared secrets:
        • +
        • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 2048 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 256 (bits)
            • +
          • SHA Functions: SHA-256
            • +
          • +
        • Diffie-Hellman shared secret:
          • +
          • +
          • Length: 384 (bits)
            • +
          • SHA Functions: SHA-384
            • +
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, HMAC #3267

    +
      +
    • TLS:
      • +
      • +
      • Supports TLS 1.0/1.1
        • +
      • Supports TLS 1.2:
        • +
        • +
        • SHA Functions: SHA-256, SHA-384
          • +
        • +
      • +
    +

    Prerequisite: SHS #4009, HMAC #3267

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Version 10.0.16299

    FIPS186-4 ECDSA

    +

    Signature Generation of hash sized messages

    +

    ECDSA SigGen Component: CURVES( P-256 P-384 P-521 )

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1284
    +Version 10.0. 15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1279
    +Version 10.0. 15063

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #922
    +Version 10.0.14393

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #894
    +Version 10.0.14393icrosoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #666
    +Version 10.0.10586

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 MsBignum Cryptographic Implementations #288
    +Version 6.3.9600

    FIPS186-4 RSA; PKCS#1 v2.1

    +

    RSASP1 Signature Primitive

    +

    RSASP1: (Mod2048: PKCS1.5 PKCSPSS)

    Windows 10 Creators Update (version 1703) Pro, Enterprise, Education Virtual TPM Implementations #1285
    +Version 10.0.15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1282
    +Version 10.0.15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1280
    +Version 10.0.15063

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #893
    +Version 10.0.14393

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update MsBignum Cryptographic Implementations #888
    +Version 10.0.14393

    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” MsBignum Cryptographic Implementations #665
    +Version 10.0.10586

    +

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 MsBignum Cryptographic Implementations #572
    +Version  10.0.10240

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry MsBignum Cryptographic Implementations #289
    +Version 6.3.9600

    FIPS186-4 RSA; RSADP

    +

    RSADP Primitive

    +

    RSADP: (Mod2048)

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile MsBignum Cryptographic Implementations #1283
    +Version 10.0.15063

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1281
    +Version 10.0.15063

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4 and Surface Pro 3 w/ Windows 10 Anniversary Update Virtual TPM Implementations #895
    +Version 10.0.14393

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update Cryptography Next Generation (CNG) Implementations #887
    +Version 10.0.14393

    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” Cryptography Next Generation (CNG) Implementations #663
    +Version 10.0.10586

    +

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 Cryptography Next Generation (CNG) Implementations #576
    +Version  10.0.10240

    SP800-135

    +

    Section 4.1.1, IKEv1 Section 4.1.2, IKEv2 Section 4.2, TLS

    Windows 10 Home, Pro, Enterprise, Education, Windows 10 S Fall Creators Update and Windows Server, Windows Server Datacenter (version 1709); SymCrypt Cryptographic Implementations  #1496

    +

    Version 10.0.16299

    +

    Windows 10 Creators Update (version 1703) Home, Pro, Enterprise, Education, Windows 10 S, Windows 10 Mobile SymCrypt Cryptographic Implementations #1278
    +Version 10.0.15063

    +

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1140
    +Version 7.00.2872

    +

    Windows Embedded Compact Cryptographic Primitives Library (bcrypt.dll) #1139
    +Version 8.00.6246

    +

    Microsoft Windows 10 Anniversary Update, Windows Server 2016, Windows Storage Server 2016; Microsoft Surface Book, Surface Pro 4, Surface Pro 3 and Surface 3 w/ Windows 10 Anniversary Update; Microsoft Lumia 950 and Lumia 650 w/ Windows 10 Mobile Anniversary Update BcryptPrimitives and NCryptSSLp #886
    +Version 10.0.14393

    +

    Microsoft Windows 10 November 2015 Update; Microsoft Surface Book, Surface Pro 4, Surface Pro 3, Surface 3, Surface Pro 2, and Surface Pro w/ Windows 10 November 2015 Update; Windows 10 Mobile for Microsoft Lumia 950 and Microsoft Lumia 635; Windows 10 for Microsoft Surface Hub 84” and Surface Hub 55” BCryptPrimitives and NCryptSSLp #664
    +Version 10.0.10586

    +

    Microsoft Windows 10, Microsoft Surface Pro 3 with Windows 10, Microsoft Surface 3 with Windows 10, Microsoft Surface Pro 2 with Windows 10, Microsoft Surface Pro with Windows 10 BCryptPrimitives and NCryptSSLp #575
    +Version  10.0.10240

    +

    Microsoft Windows 8.1, Microsoft Windows Server 2012 R2, Microsoft Windows Storage Server 2012 R2, Microsoft Windows RT 8.1, Microsoft Surface with Windows RT 8.1, Microsoft Surface Pro with Windows 8.1, Microsoft Surface 2, Microsoft Surface Pro 2, Microsoft Surface Pro 3, Microsoft Windows Phone 8.1, Microsoft Windows Embedded 8.1 Industry and Microsoft StorSimple 8100 BCryptPrimitives and NCryptSSLp #323
    +Version 6.3.9600

    + + +## References + +\[[FIPS 140](http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf)\] - FIPS 140-2, Security Requirements for Cryptographic Modules + +\[[FIPS FAQ](http://csrc.nist.gov/groups/stm/cmvp/documents/cmvpfaq.pdf)\] - Cryptographic Module Validation Program (CMVP) FAQ + +\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) + +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths + +## Additional Microsoft References + +Enabling FIPS mode - + +Cipher Suites in Schannel - [http://msdn.microsoft.com/library/aa374757(VS.85).aspx](https://msdn.microsoft.com/library/aa374757\(vs.85\).aspx) + diff --git a/windows/security/threat-protection/images/powershell-example.png b/windows/security/threat-protection/images/powershell-example.png new file mode 100644 index 0000000000..4ec2be97af Binary files /dev/null and b/windows/security/threat-protection/images/powershell-example.png differ diff --git a/windows/security/threat-protection/images/vbs-example.png b/windows/security/threat-protection/images/vbs-example.png new file mode 100644 index 0000000000..6a1cc80fd4 Binary files /dev/null and b/windows/security/threat-protection/images/vbs-example.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 4ec7962649..028116204e 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -9,11 +9,11 @@ ms.sitesec: library ms.pagetype: security author: dansimp ms.localizationpriority: medium -ms.date: 09/07/2018 +ms.date: 10/04/2018 --- # Threat Protection -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture. +[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.

    Windows Defender ATP

    @@ -30,7 +30,7 @@ Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified
    Management and APIs
    - +
    Microsoft threat protection
    Microsoft Threat Protection

    @@ -38,11 +38,12 @@ Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified -**Attack surface reduction**
    +**[Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)**
    The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. - [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md) - [Application control](windows-defender-application-control/windows-defender-application-control.md) +- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](windows-defender-exploit-guard/exploit-protection-exploit-guard.md) - [Network protection](windows-defender-exploit-guard/network-protection-exploit-guard.md) - [Controlled folder access](windows-defender-exploit-guard/controlled-folders-exploit-guard.md) @@ -51,19 +52,19 @@ The attack surface reduction set of capabilities provide the first line of defen -**Next generation protection**
    +**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
    To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. -- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus) +- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) +- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) +- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus) - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) - -**Endpoint protection and response**
    - -Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. +**[Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
    +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. - [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) - [Historical endpoint data](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) @@ -74,7 +75,7 @@ Endpoint protection and response capabilities are put in place to detect, invest -**Automated investigation and remediation**
    +**[Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)**
    In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md) @@ -84,8 +85,7 @@ In conjunction with being able to quickly respond to advanced attacks, Windows D -**Secure score**
    - +**[Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)**
    Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. - [Asset inventory](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) - [Recommended improvement actions](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md) @@ -94,7 +94,7 @@ Windows Defender ATP includes a secure score to help you dynamically assess the -**Advanced hunting**
    +**[Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)**
    Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. - [Custom detection](windows-defender-atp/overview-custom-detections.md) @@ -102,7 +102,7 @@ Create custom threat intelligence and use a powerful search and query tool to hu -**Management and APIs**
    +**[Management and APIs](windows-defender-atp/management-apis.md)**
    Integrate Windows Defender Advanced Threat Protection into your existing workflows. - [Onboarding](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md) - [API and SIEM integration](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md) @@ -112,8 +112,8 @@ Integrate Windows Defender Advanced Threat Protection into your existing workflo -**Microsoft threat protection**
    -Bring the power of Microsoft threat protection to your organization. +**[Microsoft Threat Protection](windows-defender-atp/threat-protection-integration.md)**
    + Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. - [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md) - [O365 ATP](windows-defender-atp/threat-protection-integration.md) - [Azure ATP](windows-defender-atp/threat-protection-integration.md) diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md index 2f6a6ce43c..b33d8c80f8 100644 --- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md +++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md @@ -1,7 +1,7 @@ --- title: Coordinated Malware Eradication -description: Information and criteria regarding CME -keywords: security, malware +description: The Coordinated Malware Eradication program aims to unite security organizations to disrupt the malware ecosystem. +keywords: security, malware, malware eradication, Microsoft Malware Protection Center, MMPC ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware). -If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/criteria.md b/windows/security/threat-protection/intelligence/criteria.md index ab053f956f..338810c3c0 100644 --- a/windows/security/threat-protection/intelligence/criteria.md +++ b/windows/security/threat-protection/intelligence/criteria.md @@ -1,7 +1,7 @@ --- title: How Microsoft identifies malware and potentially unwanted applications -description: criteria -keywords: security, malware +description: Learn how Microsoft reviews software for unwanted behavior, advertising, privacy violations, and negative consumer opinion to determine if it is malware (malicious software) or potentially unwanted applications. +keywords: security, malware, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats, MMPC, Microsoft Malware Protection Center, PUA, potentially unwanted applications ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md index 52a769a8b5..8a1c4b9338 100644 --- a/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md +++ b/windows/security/threat-protection/intelligence/cybersecurity-industry-partners.md @@ -1,7 +1,7 @@ --- title: Industry collaboration programs -description: Describing the 3 industry collaboration programs -keywords: security, malware +description: Microsoft industry-wide antimalware collaboration programs - Virus Information Alliance (VIA), Microsoft Virus Initiative (MVI), and Coordinated Malware Eradication (CME) +keywords: security, malware, antivirus industry, antimalware Industry, collaboration programs, alliances, Virus Information Alliance, Microsoft Virus Initiative, Coordinated Malware Eradication, WDSI, MMPC, Microsoft Malware Protection Center, partnerships ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/developer-resources.md b/windows/security/threat-protection/intelligence/developer-resources.md index 612338fcad..def783966f 100644 --- a/windows/security/threat-protection/intelligence/developer-resources.md +++ b/windows/security/threat-protection/intelligence/developer-resources.md @@ -26,18 +26,12 @@ Check out the following resources for information on how to submit and view subm ### Detection criteria -To objectively identify malware and unidentified software, Microsoft applies a set of criteria for evaluating malicious or potentially harmful code. - -For more information, see +To objectively identify malware and unidentified software, Microsoft applies a [set of criteria](criteria.md) for evaluating malicious or potentially harmful code. ### Developer questions -Find more guidance about the file submission and detection dispute process in our FAQ for software developers. - -For more information, see +Find more guidance about the file submission and detection dispute process in our [FAQ for software developers](developer-faq.md). ### Scan your software -Use Windows Defender Antivirus to check your software against the latest definitions and cloud protection from Microsoft. - -For more information, see \ No newline at end of file +Use [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) to check your software against the latest definitions and cloud protection from Microsoft. diff --git a/windows/security/threat-protection/intelligence/exploits-malware.md b/windows/security/threat-protection/intelligence/exploits-malware.md index 252dc72d31..460e31a545 100644 --- a/windows/security/threat-protection/intelligence/exploits-malware.md +++ b/windows/security/threat-protection/intelligence/exploits-malware.md @@ -1,7 +1,7 @@ --- title: Exploits and exploit kits -description: Learn about exploits, how they can infect devices, and what you can do to protect yourself. -keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities +description: Learn about how exploits use vulnerabilities in common software to give an attackers access to your computer and to install other malware. +keywords: security, malware, exploits, exploit kits, prevention, vulnerabilities, Microsoft, Exploit malware family, exploits, java, flash, adobe, update software, prevent exploits, exploit pack, vulnerability, 0-day, holes, weaknesses, attack, Flash, Adobe, out-of-date software, out of date software, update, update software, reinfection, Java cache, reinfected, won't remove, won't clean, still detects, full scan, MSE, Defender, WDSI, MMPC, Microsoft Malware Protection Center ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md index 050b8e2733..435ac333f9 100644 --- a/windows/security/threat-protection/intelligence/fileless-threats.md +++ b/windows/security/threat-protection/intelligence/fileless-threats.md @@ -13,7 +13,7 @@ ms.date: 09/14/2018 #Fileless threats -What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. In the Sharpshooter example, while the payload itself is fileless, the entry point relies on scripts that need to be dropped on the target’s machine and executed. This, too, is considered a fileless attack. +What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate. Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another. @@ -22,11 +22,11 @@ To shed light on this loaded term, we grouped fileless threats into different ca ![Comprehensive diagram of fileless malware](images/fileless-malware.png)
    *Figure 1. Comprehensive diagram of fileless malware* -First, we can classify the entry point (inner circle in the diagram), which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. +We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts. -Next, we can list the form of entry point (intermediate circle): for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. +Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector. -Finally, we can classify the host of the infection (outer circle): for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. +Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads. This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced. @@ -83,9 +83,14 @@ Having described the broad categories, we can now dig into the details and provi **File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes. -**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. +**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute. **Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they’re textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt. **Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it. +##Defeating fileless malware + +At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats. + +To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png deleted file mode 100644 index 8e2221a40b..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/PrevalentMalware-67-percent.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware.png new file mode 100644 index 0000000000..8d93b4ed9d Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/PrevalentMalware.png differ diff --git a/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png b/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png deleted file mode 100644 index 8e3fb0cfde..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/PrevalentMalware0818.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png b/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png deleted file mode 100644 index 9e011c0e6a..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/RealWorld-67-percent.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld.png b/windows/security/threat-protection/intelligence/images/RealWorld.png new file mode 100644 index 0000000000..82b7983c38 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/RealWorld.png differ diff --git a/windows/security/threat-protection/intelligence/images/RealWorld0818.png b/windows/security/threat-protection/intelligence/images/RealWorld0818.png deleted file mode 100644 index f1768f8187..0000000000 Binary files a/windows/security/threat-protection/intelligence/images/RealWorld0818.png and /dev/null differ diff --git a/windows/security/threat-protection/intelligence/images/fileless-malware.png b/windows/security/threat-protection/intelligence/images/fileless-malware.png index f55afcb5ff..2aa502e144 100644 Binary files a/windows/security/threat-protection/intelligence/images/fileless-malware.png and b/windows/security/threat-protection/intelligence/images/fileless-malware.png differ diff --git a/windows/security/threat-protection/intelligence/images/se-labs.png b/windows/security/threat-protection/intelligence/images/se-labs.png new file mode 100644 index 0000000000..41bdc75e8a Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/se-labs.png differ diff --git a/windows/security/threat-protection/intelligence/images/se-labs2.PNG b/windows/security/threat-protection/intelligence/images/se-labs2.PNG new file mode 100644 index 0000000000..630109a897 Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/se-labs2.PNG differ diff --git a/windows/security/threat-protection/intelligence/macro-malware.md b/windows/security/threat-protection/intelligence/macro-malware.md index 27bccb2f06..1feeecd262 100644 --- a/windows/security/threat-protection/intelligence/macro-malware.md +++ b/windows/security/threat-protection/intelligence/macro-malware.md @@ -1,7 +1,7 @@ --- title: Macro malware -description: Learn about how macro malware works, how it can infect devices, and what you can do to protect yourself. -keywords: security, malware, macro, protection +description: Learn about macro viruses and malware, which are embedded in documents and are used to drop malicious payloads and distribute other threats. +keywords: security, malware, macro, protection, WDSI, MMPC, Microsoft Malware Protection Center, macro virus, macro malware, documents, viruses in Office, viruses in Word ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -38,6 +38,6 @@ We've seen macro malware download threats from the following families: * Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads. -* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules) +* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules) For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md index 35db2cac2b..2dd0229441 100644 --- a/windows/security/threat-protection/intelligence/malware-naming.md +++ b/windows/security/threat-protection/intelligence/malware-naming.md @@ -1,7 +1,7 @@ --- title: Malware names -description: Identifying malware vocabulary -keywords: security, malware, names +description: Understand the malware naming convention used by Windows Defender Antivirus and other Microsoft antimalware. +keywords: security, malware, names, Microsoft, MMPC, Microsoft Malware Protection Center, WDSI, malware name, malware prefix, malware type, virus name ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md index 7449644117..bc99e5240b 100644 --- a/windows/security/threat-protection/intelligence/phishing.md +++ b/windows/security/threat-protection/intelligence/phishing.md @@ -122,7 +122,7 @@ If you feel that you have been a victim of a phishing attack, contact your IT Ad ### Reporting spam -Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/en-us/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). +Submit phishing scam emails to **Microsoft** by sending an email with the scam as an attachment to: phish@office365.microsoft.com. For more information on submitting messages to Microsoft, see [Submit spam, non-spam, and phishing scam messages to Microsoft for analysis](https://docs.microsoft.com/office365/SecurityCompliance/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis). For Outlook and Outlook on the web users, use the **Report Message Add-in** for Microsoft Outlook. For information about how to install and use this tool, see [Enable the Report Message add-in](https://support.office.com/article/4250c4bc-6102-420b-9e0a-a95064837676). diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 731b7e0e95..4340c81fde 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -1,7 +1,7 @@ --- title: Prevent malware infection -description: Malware prevention best practices -keywords: security, malware, prevention, infection, tips +description: Learn steps you can take to help prevent a malware or potentially unwanted software from infecting your computer. +keywords: security, malware, prevention, infection, tips, Microsoft, MMPC, Microsoft Malware Protection Center, virus, trojan, worm, stop, prevent, full scan, infection, avoid malware, avoid trojan, avoid virus, infection, how, detection, security software, antivirus, updates, how malware works, how virus works, firewall, turn on, user privileges, limit, prevention, WDSI, MMPC, Microsoft Malware Protection Center ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -90,7 +90,7 @@ Microsoft provides comprehensive security capabilities that help protect against * [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard) stops ransomware in its tracks by preventing unauthorized access to your important files. Controlled folder access locks down folders, allowing only authorized apps to access files. Unauthorized apps, including ransomware and other malicious executable files, DLLs, and scripts are denied access. -* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites. +* [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) browser protects against threats such as ransomware by preventing exploit kits from running. By using Microsoft [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index), Microsoft Edge blocks access to malicious websites. * [Microsoft Exchange Online Protection (EOP)](https://products.office.com/exchange/exchange-email-security-spam-protection) offers enterprise-class reliability and protection against spam and malware, while maintaining access to email during and after emergencies. diff --git a/windows/security/threat-protection/intelligence/ransomware-malware.md b/windows/security/threat-protection/intelligence/ransomware-malware.md index 484ae796f1..3441ceb6d7 100644 --- a/windows/security/threat-protection/intelligence/ransomware-malware.md +++ b/windows/security/threat-protection/intelligence/ransomware-malware.md @@ -1,7 +1,7 @@ --- title: Ransomware -description: Learn about ransomware, how it works, and what you can do to protect yourself. -keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips +description: Learn how to protect your computer and network from ransomware attacks, which can stop you from accessing your files. +keywords: security, malware, ransomware, encryption, extortion, money, key, infection, prevention, tips, WDSI, MMPC, Microsoft Malware Protection Center, ransomware-as-a-service, ransom, ransomware downloader, protection, prevention, solution, exploit kits, backup, Cerber, Locky, WannaCry, WannaCrypt, Petya, Spora ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/rootkits-malware.md b/windows/security/threat-protection/intelligence/rootkits-malware.md index 24d7b3ca8a..cf0bc0334f 100644 --- a/windows/security/threat-protection/intelligence/rootkits-malware.md +++ b/windows/security/threat-protection/intelligence/rootkits-malware.md @@ -1,7 +1,7 @@ --- title: Rootkits -description: Learn about rootkits, how they hide malware on your device, and what you can do to protect yourself. -keywords: security, malware, rootkit, hide, protection, hiding +description: Rootkits may be used by malware authors to hide malicious code on your computer and make malware or potentially unwanted software harder to remove. +keywords: security, malware, rootkit, hide, protection, hiding, WDSI, MMPC, Microsoft Malware Protection Center, rootkits, Sirefef, Rustock, Sinowal, Cutwail, malware, virus ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md index 46d99ff069..b4f4ff5cc4 100644 --- a/windows/security/threat-protection/intelligence/safety-scanner-download.md +++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md @@ -5,7 +5,7 @@ keywords: security, malware ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library -ms.localizationpriority: high +ms.localizationpriority: medium ms.author: dansimp author: dansimp ms.date: 08/01/2018 @@ -13,16 +13,18 @@ ms.date: 08/01/2018 # Microsoft Safety Scanner Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats. -- [Download 32-bit](https://go.microsoft.com/fwlink/?LinkId=212733) +- [Download Microsoft Safety Scanner (32-bit)](https://go.microsoft.com/fwlink/?LinkId=212733) -- [Download 64-bit](https://go.microsoft.com/fwlink/?LinkId=212732) +- [Download Microsoft Safety Scanner (64-bit)](https://go.microsoft.com/fwlink/?LinkId=212732) Safety Scanner only scans when manually triggered and is available for use 10 days after being downloaded. We recommend that you always download the latest version of this tool before each scan. -> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/en-us/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection). +> **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection). + +> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download. ## System requirements -Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/en-us/lifecycle). +Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/lifecycle). ## How to run a scan 1. Download this tool and open it. @@ -31,13 +33,13 @@ Safety Scanner helps remove malicious software from computers running Windows 10 To remove this tool, delete the executable file (msert.exe by default). -For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/en-us/kb/2520970). +For more information about the Safety Scanner, see the support article on [how to troubleshoot problems using Safety Scanner](https://support.microsoft.com/kb/2520970). ## Related resources -- [Troubleshooting Safety Scanner](https://support.microsoft.com/en-us/kb/2520970) +- [Troubleshooting Safety Scanner](https://support.microsoft.com/kb/2520970) - [Windows Defender Antivirus](https://www.microsoft.com/en-us/windows/windows-defender) -- [Microsoft Security Essentials](https://support.microsoft.com/en-us/help/14210/security-essentials-download) +- [Microsoft Security Essentials](https://support.microsoft.com/help/14210/security-essentials-download) - [Removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection) - [Submit file for malware analysis](https://www.microsoft.com/en-us/wdsi/filesubmission) - [Microsoft antimalware and threat protection solutions](https://www.microsoft.com/en-us/wdsi/products) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/submission-guide.md b/windows/security/threat-protection/intelligence/submission-guide.md index b72568d223..49259aa858 100644 --- a/windows/security/threat-protection/intelligence/submission-guide.md +++ b/windows/security/threat-protection/intelligence/submission-guide.md @@ -1,7 +1,7 @@ --- title: How Microsoft identifies malware and potentially unwanted applications -description: criteria -keywords: security, malware +description: Learn how to submit files to Microsoft for malware analysis, how to track your submissions, and dispute detections. +keywords: security, sample submission help, malware file, virus file, trojan file, submit, send to Microsoft, submit a sample, virus, trojan, worm, undetected, doesn’t detect, email microsoft, email malware, I think this is malware, I think it's a virus, where can I send a virus, is this a virus, MSE, doesn’t detect, no signature, no detection, suspect file, MMPC, Microsoft Malware Protection Center, researchers, analyst, WDSI ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/supply-chain-malware.md b/windows/security/threat-protection/intelligence/supply-chain-malware.md index ce1112d198..340a2bf9f0 100644 --- a/windows/security/threat-protection/intelligence/supply-chain-malware.md +++ b/windows/security/threat-protection/intelligence/supply-chain-malware.md @@ -17,6 +17,8 @@ Supply chain attacks are an emerging kind of threat that target software develop ## How supply chain attacks work +> [!video https://www.youtube.com/embed/uXm2XNSavwo] + Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app. diff --git a/windows/security/threat-protection/intelligence/support-scams.md b/windows/security/threat-protection/intelligence/support-scams.md index 821900539a..098be59223 100644 --- a/windows/security/threat-protection/intelligence/support-scams.md +++ b/windows/security/threat-protection/intelligence/support-scams.md @@ -1,7 +1,7 @@ --- title: Tech Support Scams -description: Learn about how supply chain attacks work, deliver malware do your devices, and what you can do to protect yourself -keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report +description: Microsoft security software can protect you from tech support scams that claims to scan for malware or viruses and then shows you fake detections and warnings. +keywords: security, malware, tech support, scam, protection, trick, spoof, fake, error messages, report, rogue security software, fake, antivirus, fake software, rogue, threats, fee, removal fee, upgrade, pay for removal, install full version, trial, lots of threats, scanner, scan, clean, computer, security, program, XP home security, fake microsoft, activate, activate scan, activate antivirus, warnings, pop-ups, security warnings, security pop-ups tech support scams, fake Microsoft error notification, fake virus alert, fake product expiration, fake Windows activation, scam web pages, scam phone numbers, telephone numbers, MMPC, WDSI, Microsoft Malware Protection Center, tech support scam numbers ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -22,7 +22,7 @@ Scammers might also initiate contact by displaying fake error messages on websit When you engage with the scammers, they can offer fake solutions for your “problems” and ask for payment in the form of a one-time fee or subscription to a purported support service. -**For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/en-us/help/4013405/windows-protect-from-tech-support-scams).** +**For more information, view [known tech support scam numbers and popular web scams](https://support.microsoft.com/help/4013405/windows-protect-from-tech-support-scams).** ## How to protect against tech support scams @@ -40,7 +40,7 @@ It is also important to keep the following in mind: * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites. -* Enable Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. +* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware. ## What to do if information has been given to a tech support person @@ -60,4 +60,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an **www.microsoft.com/reportascam** -You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality. \ No newline at end of file +You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality. diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md index e984e5abab..34297ac109 100644 --- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md +++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md @@ -1,14 +1,14 @@ --- title: Top scoring in industry antivirus tests description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis. -keywords: security, malware, av-comparatives, av-test, av, antivirus +keywords: security, malware, av-comparatives, av-test, av, antivirus, windows, defender, scores ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library ms.localizationpriority: medium ms.author: ellevin author: levinec -ms.date: 09/05/2018 +ms.date: 11/07/2018 --- # Top scoring in industry antivirus tests @@ -17,61 +17,83 @@ ms.date: 09/05/2018 We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections. -In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender AV is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender AV detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies. - -> [!TIP] -> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports). - +In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender Antivirus is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender Antivirus detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.



    ![AV-TEST logo](./images/av-test-logo.png) ## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test - The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware"). +> [!NOTE] +> [Download our latest analysis: Examining the AV-TEST July-August results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) -### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest** +### July-August 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/august-2018/microsoft-windows-defender-antivirus-4.12--4.18-183212/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IL3Y) - Windows Defender AV achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. With the latest results, Windows Defender AV has achieved 100% on 10 of the 12 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 20,022 malware samples. With the latest results, Windows Defender Antivirus has achieved 100% on 14 of the 16 most recent antivirus tests (combined "Real-World" and "Prevalent malware"). + +### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) + + Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. ### March-April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) - Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). + Windows Defender Antivirus achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). ### January-February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports) -Windows Defender AV achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested. +Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested. ||| |---|---| -|![Graph describing Real-World detection rate](./images/RealWorld-67-percent.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware-67-percent.png)| +|![Graph describing Real-World detection rate](./images/RealWorld.png)|![Graph describing Prevalent Malware](./images/PrevalentMalware.png)|

    ![AV-Comparatives Logo](./images/av-comparatives-logo-3.png) -## AV-Comparatives: Perfect protection rating of 100% in the latest test +## AV-Comparatives: Protection rating of 99.8% in the latest test AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions. -### Real-World Protection Test July (Consumer): [Protection Rate 100%](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest** +### Real-World Protection Test August - September (Enterprise): [Protection Rate 99.8%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-august-september-2018-testresult/) **Latest** -The results are based on testing against 186 malicious URLs that have working exploits or point directly to malware. +This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. +The test set contained 599 test cases (such as malicious URLs). + +### Malware Protection Test August 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-august-2018-testresult/) + +This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. The results are based on testing against 1,556 malware samples. ### Real-World Protection Test March - June (Enterprise): [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/) -This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online. +The test set contained 1,163 test cases (such as malicious URLs). ### Malware Protection Test March 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/) -This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. +For this test, 1,470 recent malware samples were used. [Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/) +

    +

    + +![SE Labs Logo](./images/se-labs2.png) + +## SE Labs: Total accuracy rating of AAA in the latest test + +SE Labs tests a range of solutions used by products and services to detect and/or protect against attacks, including endpoint software, network appliances, and cloud services. + +### Enterprise Endpoint Protection July - September 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/jul-sep-2018-enterprise.pdf) **pdf** + +Microsoft's next-gen protection was named as one of the most effective products, stopping all public and targeted attacks. It showcased its ability to block malicious URLs, deal with exploits, and classify legitimate apps and websites correctly. + +### Enterprise Endpoint Protection April - June 2018: [AAA award](https://selabs.uk/download/enterprise/epp/2018/apr-jun-2018-enterprise.pdf) **pdf** + +Microsoft's next-gen protection was named as one of the most effective products, stopping all targeted attacks and the vast majority of public threats. ## To what extent are tests representative of protection in the real world? -It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the antivirus evaluations highlighted above. Windows Defender AV encounters ~200 million samples every month, and the typical antivirus test consists of between 100-5,000 samples. The vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. +It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the antivirus evaluations highlighted above. Windows Defender Antivirus encounters ~200 million samples every month, and the typical antivirus test consists of between 100-5,000 samples. The vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats. -The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests. These technologies address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Windows Defender ATP components [catch samples that Windows Defender AV missed](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. +The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests. These technologies address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Windows Defender ATP components [catch samples that Windows Defender Antivirus missed](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) in these industry tests, which is more representative of how effectively our security suite protects customers in the real world. Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports). diff --git a/windows/security/threat-protection/intelligence/trojans-malware.md b/windows/security/threat-protection/intelligence/trojans-malware.md index f3974e7341..47a21f4308 100644 --- a/windows/security/threat-protection/intelligence/trojans-malware.md +++ b/windows/security/threat-protection/intelligence/trojans-malware.md @@ -1,7 +1,7 @@ --- title: Trojan malware -description: Learn about how trojans work, deliver malware do your devices, and what you can do to protect yourself. -keywords: security, malware, protection, trojan, download, file, infection +description: Trojans are a type of threat that can infect your device. This page tells you what they are and how to remove them. +keywords: security, malware, protection, trojan, download, file, infection, trojans, virus, protection, cleanup, removal, antimalware, antivirus, WDSI, MMPC, Microsoft Malware Protection Center, malware types ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library diff --git a/windows/security/threat-protection/intelligence/understanding-malware.md b/windows/security/threat-protection/intelligence/understanding-malware.md index f2ed89b560..2f819e06b0 100644 --- a/windows/security/threat-protection/intelligence/understanding-malware.md +++ b/windows/security/threat-protection/intelligence/understanding-malware.md @@ -1,7 +1,7 @@ --- title: Understanding malware & other threats -description: Learn about the different types of malware, how they work, and what you can do to protect yourself. -keywords: security, malware +description: Learn about the world's most prevalent viruses, malware, and other threats. Understand how they arrive, their detailed behaviors, infection symptoms, and how to prevent & remove them. +keywords: security, malware, virus, malware, threat, analysis, research, encyclopedia, dictionary, glossary, ransomware, support scams, unwanted software, computer infection, virus infection, descriptions, remediation, latest threats, mmpc, microsoft malware protection center, wdsi ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -16,7 +16,7 @@ Malware is a term used to describe malicious applications and code that can caus Cybercriminals that distribute malware are often motivated by money and will use infected computers to launch attacks, obtain banking credentials, collect information that can be sold, sell access to computing resources, or extort payment from victims. -As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With Windows Defender Advanced Threat Protection (Windows Defender ATP), businesses can stay protected with next-generation protection and other security capabilities. +As criminals become more sophisticated with their attacks, Microsoft is here to help. Windows 10 is the most secure version of Windows yet and includes many features to help protect you whether you're at home, at work, or on the go. With [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf), businesses can stay protected with next-generation protection and other security capabilities. For good general tips, check out the [prevent malware infection](prevent-malware-infection.md) topic. @@ -36,4 +36,4 @@ There are many types of malware, including: Keep up with the latest malware news and research. Check out our [Windows security blogs](https://aka.ms/wdsecurityblog) and follow us on [Twitter](https://twitter.com/wdsecurity) for the latest news, discoveries, and protections. -Learn more about [Windows security](https://docs.microsoft.com/en-us/windows/security/index). \ No newline at end of file +Learn more about [Windows security](https://docs.microsoft.com/windows/security/index). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/unwanted-software.md b/windows/security/threat-protection/intelligence/unwanted-software.md index bff16819a8..1bd6897c42 100644 --- a/windows/security/threat-protection/intelligence/unwanted-software.md +++ b/windows/security/threat-protection/intelligence/unwanted-software.md @@ -1,7 +1,7 @@ --- title: Unwanted software description: Learn about how unwanted software changes your default settings without your consent and what you can do to protect yourself. -keywords: security, malware, protection, unwanted, software, alter, infect +keywords: security, malware, protection, unwanted, software, alter, infect, unwanted software, software bundlers, browser modifiers, privacy, security, computing experience, prevent infection, solution, WDSI, MMPC, Microsoft Malware Protection Center, virus research threats, research malware, pc protection, computer infection, virus infection, descriptions, remediation, latest threats ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -36,7 +36,7 @@ Microsoft uses an extensive [evaluation criteria](https://www.microsoft.com/wdsi To prevent unwanted software infection, download software only from official websites, or from the Microsoft Store. Be wary of downloading software from third-party sites. -Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/en-us/microsoft-edge/deploy/index) (also used by Internet Explorer). +Use [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/index) when browsing the internet. Microsoft Edge includes additional protections that effectively block browser modifiers that can change your browser settings. Microsoft Edge also blocks known websites hosting unwanted software using [SmartScreen](https://docs.microsoft.com/microsoft-edge/deploy/index) (also used by Internet Explorer). Enable [Windows Defender AV](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It provides real-time protection against threats and detects and removes known unwanted software. diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md index 10e99ef924..7ce546eeed 100644 --- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md @@ -1,7 +1,7 @@ --- title: Virus Information Alliance -description: Information and criteria regarding VIA -keywords: security, malware +description: The Microsoft Virus Information Alliance (VIA) is an antimalware collaboration program for security software and service providers, antimalware testing organizations, and other organizations involved in fighting cybercrime. +keywords: security, malware, Microsoft, MMPC, Microsoft Malware Protection Center, partners, sharing, samples, vendor exchange, CSS, alliance, WDSI ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -46,4 +46,4 @@ To be eligible for VIA your organization must: 3. Be willing to sign and adhere to the VIA membership agreement. -If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md index 26f3bbce30..eeea702caa 100644 --- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md +++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md @@ -1,7 +1,7 @@ --- title: Microsoft Virus Initiative -description: Information and criteria regarding MVI -keywords: security, malware +description: The Microsoft Virus Initiative (MVI) helps organizations that make antivirus or antimalware products integrate with Windows and share antimalware telemetry data with Microsoft. +keywords: security, malware, MVI, Microsoft Malware Protection Center, MMPC, alliances, WDSI ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -52,6 +52,6 @@ Your organization must meet the following eligibility requirements to participat 7. Submit your AM app to Microsoft for periodic performance testing. -### Apply to MVI +### Apply now -If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md). \ No newline at end of file +If your organization meets these criteria and is interested in joining, [apply for membership now](https://www.microsoft.com/en-us/wdsi/alliances/apply-alliance-membership). If you have questions, [contact us for more information](https://www.microsoft.com/en-us/wdsi/alliances/collaboration-inquiry). \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md index f1e88eb03c..c9e7ce8541 100644 --- a/windows/security/threat-protection/intelligence/worms-malware.md +++ b/windows/security/threat-protection/intelligence/worms-malware.md @@ -1,7 +1,7 @@ --- title: Worms -description: Learn about worms, how they infect devices, and what you can do to protect yourself. -keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt +description: Learn about how worms replicate and spread to other computers or networks. Read about the most popular worms and steps you can take to stop them. +keywords: security, malware, protection, worm, vulnerabilities, infect, steal, Jenxcus, Gamarue, Bondat, WannaCrypt, WDSI, MMPC, Microsoft Malware Protection Center, worms, malware types, threat propagation, mass-mailing, IP scanning ms.prod: w10 ms.mktglfcycl: secure ms.sitesec: library @@ -25,7 +25,7 @@ Jenxcus (also known as Dunihi), Gamarue (also known as Androm), and Bondat have * **Gamarue** typically arrives through spam campaigns, exploits, downloaders, social networking sites, and removable drives. When Gamarue infects a device, it becomes a distribution channel for other malware. We’ve seen it distribute other malware such as infostealers, spammers, clickers, downloaders, and rogues. -* **Bondat** typically arrives through fictitious Nullsoft Sciptable Install System (NSIS) Java installers and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. +* **Bondat** typically arrives through fictitious Nullsoft Scriptable Install System (NSIS), Java installers, and removable drives. When Bondat infects a system, it gathers information about the machine such as device name, Globally Unique Identifier (GUID), and OS build. It then sends that information to a remote server. Both Bondat and Gamarue have clever ways of obscuring themselves to evade detection. By hiding what they are doing, they try to avoid detection by security software. @@ -45,4 +45,4 @@ Download [Microsoft Security Essentials](https://www.microsoft.com/download/deta In case threat removal is unsuccessful, read about [troubleshooting malware detection and removal problems](https://www.microsoft.com/wdsi/help/troubleshooting-infection). -For more general tips, see [prevent malware infection](prevent-malware-infection.md). \ No newline at end of file +For more general tips, see [prevent malware infection](prevent-malware-infection.md). diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md new file mode 100644 index 0000000000..580a5b58bd --- /dev/null +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -0,0 +1,39 @@ +--- +title: Microsoft Baseline Security Analyzer (MBSA) removal and guidance on alternative solutions +description: This article documents the removal of MBSA and alternative solutions +keywords: MBSA, security, removal +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.author: astoica +author: andreiztm +ms.date: 10/05/2018 +--- + +# What is Microsoft Baseline Security Analyzer and its uses? + +Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. + +MBSA was largely used in situations where neither Microsoft Update nor a local WSUS/SCCM server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. + +## The Solution +A script can help you with an alternative to MBSA’s patch-compliance checking: + +- [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)), which includes a sample .vbs script. +For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be). + +For example: + +[![VBS script](images/vbs-example.png)](https://docs.microsoft.com/previous-versions/windows/desktop/aa387290(v=vs.85)) +[![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) + +The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. +The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. + +## More Information + +For security compliance and for desktop/server hardening, we recommend the Microsoft Security Baselines and the Security Compliance Toolkit. + +- [Windows security baselines](windows-security-baselines.md) +- [Download Microsoft Security Compliance Toolkit 1.0 ](https://www.microsoft.com/download/details.aspx?id=55319) +- [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 38cb2e0298..bb4bb74070 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -196,7 +196,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. > [!NOTE] -> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). +> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). ### Protected Processes @@ -285,15 +285,15 @@ Some of the protections available in Windows 10 are provided through functions t | Mitigation | Function | |-------------|-----------| -| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | -| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | -| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | -| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSignaturePolicy\] | -| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSystemCallDisablePolicy\] | -| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | -| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | -| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | -| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/library/windows/desktop/hh769088(v=vs.85).aspx)
    \[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/library/windows/desktop/ms686880(v=vs.85).aspx)
    \[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index 5388ad4fd7..5afa6d82b1 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: sagaudre author: brianlic-msft -ms.date: 06/25/2018 +ms.date: 11/26/2018 --- # Microsoft Security Compliance Toolkit 1.0 @@ -22,6 +22,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1803 (April 2018 Update) - Windows 10 Version 1709 (Fall Creators Update) - Windows 10 Version 1703 (Creators Update) @@ -30,6 +31,7 @@ The Security Compliance Toolkit consists of: - Windows 10 Version 1507 - Windows Server security baselines + - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md index b85e285e97..1478eafa69 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-policy.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 10/11/2018 --- # Account Lockout Policy @@ -18,10 +18,13 @@ ms.date: 04/19/2017 Describes the Account Lockout Policy settings and links to information about each policy setting. -Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. +Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account password by trial and error. Windows domain controllers keep track of logon attempts, and domain controllers can be configured to respond to this type of potential attack by disabling the account for a preset period of time. Account Lockout Policy settings control the threshold for this response and the actions to be taken after the threshold is reached. The Account Lockout Policy settings can be configured in the following location in the Group Policy Management Console: **Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**. The following topics provide a discussion of each policy setting's implementation and best practices considerations, policy location, default values for the server type or Group Policy Object (GPO), relevant differences in operating system versions, and security considerations (including the possible vulnerabilities of each policy setting), countermeasures that you can implement, and the potential impact of implementing the countermeasures. +>[!NOTE] +>Account lockout settings for remote access clients can be configured separately by editing the Registry on the server that manages the remote access. For more information, see [How to configure remote access client account lockout](https://support.microsoft.com/help/816118/how-to-configure-remote-access-client-account-lockout-in-windows-serve). + ## In this section | Topic | Description | diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index 1023c1e03f..40febeceab 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 11/02/2018 --- # Account lockout threshold @@ -22,23 +22,26 @@ Describes the best practices, location, values, and security considerations for The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md). -Failed password attempts on workstations or member servers that have been locked by using CTRL+ALT+DELETE or password-protected screen savers do not count as failed sign-in attempts unless [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) is set to **Enabled**. If Interactive logon: Require Domain Controller authentication to unlock workstation is enabled, repeated failed password attempts to unlock the workstation will count against the account lockout threshold. - Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. +Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. + ### Possible values It is possible to configure the following values for the **Account lockout threshold** policy setting: - A user-defined number from 0 through 999 - Not defined -Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic +Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this topic. ### Best practices -The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization. -> **Important:**  Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic. +The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend a value of 10 could be an acceptable starting point for your organization. + +As with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). + +Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this topic.   ### Location @@ -72,6 +75,8 @@ Implementation of this policy setting is dependent on your operational environme - When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. - Not all apps that are used in your environment effectively manage how many times a user can attempt to sign-in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. +For more information about Windows security baseline recommendations for account lockout, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). + ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. @@ -91,7 +96,7 @@ Because vulnerabilities can exist when this value is configured and when it is n - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occur in the environment. - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - A good recommendation for such a configuration is 50 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. We recommend this option if your organization cannot implement complex password requirements and an audit policy that alerts administrators to a series of failed sign-in attempts. + [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 5b63d093b8..d5b8c58676 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -60,7 +60,7 @@ The following table lists the actual and effective default values for this polic | Server type or GPO | Default value | | - | - | | Default Domain Policy | Not defined -| Default Domain Controler Policy | Not defined +| Default Domain Controller Policy | Not defined | Stand-Alone Server Default Settings | Disabled | DC Effective Default Settings | Disabled | Member Server Effective Default Settings | Disabled diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md new file mode 100644 index 0000000000..f8676a335b --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md @@ -0,0 +1,8 @@ +--- +author: jasongerend +ms.author: jgerend +ms.date: 1/4/2019 +ms.topic: include +ms.prod: w10 +--- +Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md index 1ae321bd87..83b3cbd192 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md +++ b/windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md @@ -84,11 +84,11 @@ A user who is assigned this user right could increase the scheduling priority of ### Countermeasure -Verify that only Administrators and and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them. +Verify that only Administrators and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them. ### Potential impact -None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and and Window Manager/Window Manager Group is the default configuration. +None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index eec6a03a0a..fa9637e81f 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 09/18/2018 --- # Interactive logon: Machine inactivity limit @@ -26,7 +26,7 @@ Beginning with Windows Server 2012 and Windows 8, Windows detects user-input ina The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours). -If no value (blank) or zero (0) is present in the **Machine will be locked after** input field, then the policy setting is disabled and no action is taken on user-input inactivity for the session. +If **Machine will be locked after** is set to zero (0) or has no value (blank), the policy setting is disabled and a user sign-in session is never locked after any inactivity. ### Best practices diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md index 6028668431..0c05506d7b 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-age.md @@ -7,8 +7,8 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium -author: brianlic-msft -ms.date: 04/19/2017 +author: justinha +ms.date: 11/13/2018 --- # Minimum password age @@ -20,7 +20,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. +The **Minimum password age** policy setting determines the period of time (in days) that a password must be used before the user can change it. You can set a value between 1 and 998 days, or you can allow password changes immediately by setting the number of days to 0. The minimum password age must be less than the Maximum password age, unless the maximum password age is set to 0, indicating that passwords will never expire. If the maximum password age is set to 0, the minimum password age can be set to any value between 0 and 998. ### Possible values @@ -29,9 +29,16 @@ The **Minimum password age** policy setting determines the period of time (in da ### Best practices -Set **Minimum password age** to a value of 2 days. Setting the number of days to 0 allows immediate password changes, which is not recommended. +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend setting **Minimum password age** to 1 day. -If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. +Setting the number of days to 0 allows immediate password changes, which is not recommended. +Combining immediate password changes with password history allows someone to change a password repeatedly until the password history requirement is met and re-establish the original password again. +For example, suppose a password is "Ra1ny day!" and the history requirement is 24. +If the minimum password age is 0, the password can be changed 24 times in a row until finally changed back to "Ra1ny day!". +The minimum password age of 1 day prevents that. + +If you set a password for a user and you want that user to change the administrator-defined password, you must select the **User must change password at next logon** check box. +Otherwise, the user will not be able to change the password until the number of days specified by **Minimum password age**. ### Location @@ -70,11 +77,11 @@ To address password reuse, you must use a combination of security settings. Usin ### Countermeasure -Configure the **Minimum password age** policy setting to a value of at least 2 days. Users should know about this limitation and contact the Help Desk if they need to change their password during that two-day period. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. +Configure the **Minimum password age** policy setting to a value of 1 day. Users should know about this limitation and contact the Help Desk to change a password sooner. If you configure the number of days to 0, immediate password changes would be allowed, which we do not recommend. ### Potential impact -If you set a password for a user but wants that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. +If you set a password for a user but want that user to change the password when the user first logs on, the administrator must select the **User must change password at next logon** check box, or the user cannot change the password until the next day. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index 6b9f166e9f..80899cad0c 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -8,21 +8,21 @@ ms.pagetype: security ms.localizationpriority: medium ms.localizationpriority: medium author: justinha -ms.date: 07/27/2017 +ms.date: 09/17/2018 --- # Network access: Restrict clients allowed to make remote calls to SAM **Applies to** - Windows 10, version 1607 and later -- Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/en-us/help/4013198) installed -- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/en-us/help/4012606) installed -- Windows 8.1 with [KB 4102219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed -- Windows 7 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed +- Windows 10, version 1511 with [KB 4103198](https://support.microsoft.com/help/4013198) installed +- Windows 10, version 1507 with [KB 4012606](https://support.microsoft.com/help/4012606) installed +- Windows 8.1 with [KB 4102219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed +- Windows 7 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed - Windows Server 2016 -- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed -- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/en-us/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed -- Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed +- Windows Server 2012 R2 with[KB 4012219](https://support.microsoft.com/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2) installed +- Windows Server 2012 with [KB 4012220](https://support.microsoft.com/help/4012220/march-2017-preview-of-monthly-quality-rollup-for-windows-server-2012) installed +- Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. @@ -130,7 +130,7 @@ Compare the security context attempting to remotely enumerate accounts with the ### Event Throttling A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value. -|Registry Path|System\CurrentControlSet\Control\Lsa\ +|Registry Path|HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ | |---|---| Setting |RestrictRemoteSamEventThrottlingWindow| Data Type |DWORD| @@ -160,7 +160,7 @@ You can mitigate this vulnerability by enabling the **Network access: Restrict c If the policy is defined, admin tools, scripts and software that formerly enumerated users, groups and group membership may fail. To identify accounts that may be affected, test this setting in [audit only mode](#audit-only-mode). ## Related Topics -[Security Options](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/security-options) +[Security Options](https://technet.microsoft.com/itpro/windows/keep-secure/security-options) [SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b) diff --git a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md index e735885b8d..2d007bb365 100644 --- a/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md +++ b/windows/security/threat-protection/security-policy-settings/reset-account-lockout-counter-after.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 04/19/2017 +ms.date: 11/02/2018 --- # Reset account lockout counter after @@ -31,7 +31,9 @@ A disadvantage to setting this too high is that users lock themselves out for an ### Best practices -- You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. +You need to determine the threat level for your organization and balance that against the cost of your Help Desk support for password resets. Each organization will have specific requirements. + +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15, but as with other account lockeout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](https://blogs.technet.microsoft.com/secguide/2014/08/13/configuring-account-lockout/). ### Location @@ -60,7 +62,7 @@ Users can accidentally lock themselves out of their accounts if they mistype the ### Countermeasure -Configure the **Reset account lockout counter after** policy setting to 30. +[Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend configuring the **Reset account lockout counter after** policy setting to 15. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index 988d211159..78a93d1dc7 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (always) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 16cffebd8d..74f1f7f04d 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) @@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index 8e2cdd2740..9661827e2a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/201 +ms.date: 01/04/2019 --- # SMB v1 Microsoft network server: Digitally sign communications (always) @@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 654a737d1a..7443f0f9de 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index bba7a2624e..ae91d8d14b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 08/29/2017 +ms.date: 11/16/2018 --- # System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing @@ -50,7 +50,7 @@ Additionally, if a data drive is password-protected, it can be accessed by a FIP ### Best practices -- For use with TLS, set this policy to **Enabled**. Client devices with this policy setting enabled will be unable to communicate through digitally encrypted or signed protocols with servers that do not support these algorithms. Client devices that are connected to the network and do not support these algorithms cannot use servers that require the algorithms for network communications. If you enable this policy setting, you must also configure Internet Explorer to use TLS. +There are no best practices for this setting. Our previous guidance had recommended a setting of **Enabled**, primarily to align with US Federal government recommendations. [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) recommend this setting be **Not Defined**, meaning that we leave the decision to customers. For a deeper explanation, see [Why We’re Not Recommending “FIPS Mode” Anymore](https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/). ### Location diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index fa31fb16e4..05f928f9a6 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -37,9 +37,9 @@ When the Admin Approval Mode is enabled, the local administrator account functio ### Best practices -- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) +- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. See [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) - To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK. + To enable Admin Approval Mode, you must also configure the local security policy setting: [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](https://docs.microsoft.com/windows/device-security/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) to **Prompt for consent on the secure desktop** and then click OK. > [!NOTE] > After enabling Admin Approval Mode, to activate the setting, you must first log in and out. Alternatively, You may perform **gpupdate /force** from an elevated command prompt. diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md index 27cfc0dcfb..ac6a9b786d 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md @@ -59,7 +59,7 @@ This policy setting determines the behavior of the elevation prompt for accounts - Selecting the option **Elevate without prompting** minimizes the protection that is provided by UAC. We do not recommend selecting this value unless administrator accounts are tightly controlled and the operating environment is highly secure. -- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) +- It is recommended not to enable the built-in Administrator account on the client computer, but to use the standard user account and User Account Control (UAC) instead. If you want to enable the built-in Administrator account to carry out administrative tasks, for security reasons you should also enable Admin Approval Mode. For further information, see [UAC-Admin-Approval-Mode-for-the-Built-in-Administrator-account](https://docs.microsoft.com/windows/device-security/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account) ### Location diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md index b07e349659..04daacbdfa 100644 --- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md +++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md @@ -15,15 +15,15 @@ ms.date: 07/27/2017 # WannaCrypt ransomware worm targets out-of-date systems -On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) if they have not already done so. +On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so. -Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware. +Microsoft antimalware diagnostic data immediately picked up signs of this campaign. Our expert systems gave us visibility and context into this new attack as it happened, allowing [Windows Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) to deliver real-time defense. Through automated analysis, machine learning, and predictive modeling, we were able to rapidly protect against this malware. In this blog, we provide an early analysis of the end-to-end ransomware attack. Please note this threat is still under investigation. The attack is still active, and there is a possibility that the attacker will attempt to react to our detection response. ## Attack vector -Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), which was released on March 14, 2017. +Ransomware threats do not typically spread rapidly. Threats like WannaCrypt (also known as WannaCry, WanaCrypt0r, WCrypt, or WCRY) usually leverage social engineering or email as primary attack vector, relying on users downloading and executing a malicious payload. However, in this unique case, the ransomware perpetrators used publicly available exploit code for the patched SMB 'EternalBlue' vulnerability, [CVE-2017-0145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0145), which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. This vulnerability was fixed in security bulletin [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx), which was released on March 14, 2017. WannaCrypt's spreading mechanism is borrowed from [well-known](https://packetstormsecurity.com/files/142464/MS17-010-SMBv1-SrvOs2FeaToNt-OOB-Remote-Code-Execution.html) [public SMB exploits](https://github.com/RiskSense-Ops/MS17-010), which armed this regular ransomware with worm-like functionalities, creating an entry vector for machines still unpatched even after the fix had become available. @@ -181,12 +181,12 @@ When it successfully infects a vulnerable computer, the malware runs kernel-leve To get the latest protection from Microsoft, upgrade to [Windows 10](https://www.microsoft.com/en-us/windows/windows-10-upgrade). Keeping your computers [up-to-date](https://www.microsoft.com/en-us/security/portal/mmpc/help/updatefaqs.aspx) gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. -We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface: +We recommend customers that have not yet installed the security update [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface: - Disable SMBv1 with the steps documented at [Microsoft Knowledge Base Article 2696547](https://support.microsoft.com/kb/2696547) and as [recommended previously](https://blogs.technet.microsoft.com/filecab/2016/09/16/stop-using-smb1/) - Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 -[Windows Defender Antivirus](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. +[Windows Defender Antivirus](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-in-windows-10) detects this threat as [Ransom:Win32/WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt) as of the *1.243.297.0* update. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats. For enterprises, use [Device Guard](https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide) to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running. @@ -200,7 +200,7 @@ Download English language security updates: [Windows Server 2003 SP2 x64](http:/ Download localized language security updates: [Windows Server 2003 SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e), [Windows Server 2003 SP2 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9), [Windows XP SP2 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa), [Windows XP SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f), [Windows XP Embedded SP3 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add), [Windows 8 x86](https://www.microsoft.com/downloads/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340), [Windows 8 x64](https://www.microsoft.com/downloads/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0) -MS17-010 Security Update: [https://technet.microsoft.com/en-us/library/security/ms17-010.aspx](https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) +MS17-010 Security Update: [https://technet.microsoft.com/library/security/ms17-010.aspx](https://technet.microsoft.com/library/security/ms17-010.aspx) Customer guidance for WannaCrypt attacks: [https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/](https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/) diff --git a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md index 2e776ea30d..06978674b3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md +++ b/windows/security/threat-protection/windows-defender-antivirus/collect-diagnostic-data-update-compliance.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Windows Defender AV Assessment section in the Update Compliance add-in. diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index 5544020384..eb9084b991 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and manage Windows Defender Antivirus with the mpcmdrun.exe command-line tool **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can perform various Windows Defender Antivirus functions with the dedicated command-line tool mpcmdrun.exe. @@ -37,16 +37,20 @@ MpCmdRun.exe [command] [-options] Command | Description :---|:--- -\- ? **or** -h | Displays all available options for the tool -\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]][-Timeout ] | Scans for malicious software -\-Trace [-Grouping #] [-Level #]| Starts diagnostic tracing -\-GetFiles | Collects support information -\-RemoveDefinitions [-All] | Restores the installed signature definitions to a previous backup copy or to the original default set of signatures -\-AddDynamicSignature [-Path] | Loads a dynamic signature -\-ListAllDynamicSignature [-Path] | Lists the loaded dynamic signatures -\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature -\-ValidateMapsConnection | Used to validate connection to the [cloud-delivered protection service](configure-network-connections-windows-defender-antivirus.md) -\-SignatureUpdate [-UNC [-Path ]] | Checks for new definition updates +\-? **or** -h | Displays all available options​ for this tool​ +\-Scan [-ScanType #] [-File [-DisableRemediation] [-BootSectorScan]]​ [-Timeout ]​ [-Cancel]​ | Scans for malicious software​ +\-Trace [-Grouping #] [-Level #] | Starts diagnostic tracing​ +\-GetFiles | Collects support information​ +\-GetFilesDiagTrack | Same as Getfiles but outputs to​ temporary DiagTrack folder​ +\-RemoveDefinitions [-All] | Restores the installed​ signature definitions​ to a previous backup copy or to​ the original default set of​ signatures​ +\-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically​ downloaded signatures​ +\-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates​ +\-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or list​s quarantined item(s)​ +\-AddDynamicSignature [-Path] | Loads a dynamic signature​ +\-ListAllDynamicSignatures | Lists the loaded dynamic signatures​ +\-RemoveDynamicSignature [-SignatureSetID] | Removes a dynamic signature​ +\-CheckExclusion -path | Checks whether a path is excluded + ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md index c11220d5fc..2af6cfcbc3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can manage and configure Windows Defender Antivirus with the following tools: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md index 673fc41138..b916b9c91e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 10/25/2018 --- @@ -19,17 +19,17 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) **Use Microsoft Intune to configure scanning options** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use Configuration Manager to configure scanning options:** -See [How to create and deploy antimalware policies: Scan settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scan settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scan-settings) for details on configuring System Center Configuration Manager (current branch). **Use Group Policy to configure scanning options** @@ -55,6 +55,10 @@ Scan removable drives during full scans only | Scan > Scan removable drives | Di Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor` Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available + Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available + +>[!NOTE] +>If real-time protection is enabled, files are scanned before they are accessed and executed. The scanning scope includes all files, including those on mounted removable devices such as USB drives. **Use PowerShell to configure scanning options** @@ -62,7 +66,7 @@ See [Manage Windows Defender Antivirus with PowerShell cmdlets](use-powershell-c **Use WMI to configure scanning options** -For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx). +For using WMI classes, see [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx). ### Email scanning limitations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index 728e03873e..8f34c26265 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Block at first sight is a feature of next gen protection that provides a way to detect and block new malware within seconds. @@ -26,7 +26,7 @@ It is enabled by default when certain pre-requisite settings are also enabled. I You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. -You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. +You can also [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. > [!IMPORTANT] > There is no specific individual setting in System Center Configuration Manager to enable or disable block at first sight. It is enabled by default when the pre-requisite settings are configured correctly. You must use Group Policy settings to enable or disable the feature. @@ -64,9 +64,9 @@ Block at first sight requires a number of Group Policy settings to be configured - **Time extension for file scanning by the cloud**: **50** - **Prompt users before sample submission**: **Send all data without prompting** -For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +For more information about configuring Windows Defender Antivirus device restrictions in Intune, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus). +For a list of Windows Defender Antivirus device restrictions in Intune, see [Device restriction for Windows 10 (and newer) settings in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus). ### Confirm block at first sight is enabled with Group Policy @@ -96,7 +96,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. -### Confirm block at first sight is enabled with the Windows Defender Security Center app +### Confirm block at first sight is enabled with the Windows Security app You can confirm that block at first sight is enabled in Windows Settings. @@ -104,11 +104,11 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio **Confirm Block at First Sight is enabled on individual clients** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar. +1. Open the Windows Security app by clicking the shield icon in the task bar. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**: - ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md index c4712bd823..e78a18862c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When Windows Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Windows Defender Antivirus cloud service](utilize-microsoft-cloud-protection-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md index a4e4d1798a..f467dac2b6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-end-user-interaction-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can configure how users of the endpoints on your network can interact with Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md index 05da87967e..ca5c66c4f2 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-exclusions-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can exclude certain files, folders, processes, and process-opened files from Windows Defender Antivirus scans. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md index 4c95157a94..a9db1100c9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure and validate exclusions based on file extension and folder location **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can exclude certain files from Windows Defender Antivirus scans by modifying exclusion lists. @@ -53,9 +53,9 @@ To exclude files opened by a specific process, see [Configure and validate exclu The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md). >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). > ->Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +>Changes made in the Windows Security app **will not show** in the Group Policy lists. By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts. @@ -65,11 +65,11 @@ You can [configure how locally and globally defined exclusions lists are merged] **Use Intune to configure file name, folder, or file extension exclusions:** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use Configuration Manager to configure file name, folder, or file extension exclusions:** -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). **Use Group Policy to configure folder or file extension exclusions:** @@ -106,7 +106,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use PowerShell cmdlets to configure file name, folder, or file extension exclusions:** -Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). +Using PowerShell to add or remove exclusions for files based on the extension, location, or file name requires using a combination of three cmdlets and the appropriate exclusion list parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). The format for the cmdlets is: @@ -142,7 +142,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to configure file name, folder, or file extension exclusions:** -Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI ExclusionExtension @@ -153,13 +153,13 @@ The use of **Set**, **Add**, and **Remove** is analogous to their counterparts i See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:** +**Use the Windows Security app to configure file name, folder, or file extension exclusions:** -See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. +See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. ## Use wildcards in the file name and folder path or extension exclusion lists @@ -264,19 +264,30 @@ The following table describes how the wildcards can be used and provides some ex ## Review the list of exclusions -You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), MpCmdRun, PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). >[!IMPORTANT] ->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). > ->Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +>Changes made in the Windows Security app **will not show** in the Group Policy lists. If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -290,7 +301,7 @@ In the following example, the items contained in the `ExclusionExtension` list a See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md index 013ef4ec60..833abbcaff 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) By default, Windows Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances. @@ -28,7 +28,7 @@ For example, it may be necessary to allow certain user groups (such as security The default setting for these policies is **Disabled**. -If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). +If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate). The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting. @@ -66,7 +66,7 @@ Scan | Configure local setting override for the scan type to use for a scheduled You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md). -By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. +By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence. You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used. @@ -81,7 +81,7 @@ You can disable this setting to ensure that only globally-defined lists (such as 4. Double-click **Configure local administrator merge behavior for lists** and set the option to **Enabled**. Click **OK**. > [!NOTE] -> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). +> If you disable local list merging, it will override controlled folder access settings. It also overrides any protected folders or allowed apps set by the local administrator. For more information about controlled folder access settings, see [Enable controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 69728c47d8..922fb0f10d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 10/08/2018 --- # Configure and validate Windows Defender Antivirus network connections **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) To ensure Windows Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers. @@ -40,7 +40,7 @@ The Windows Defender Antivirus cloud service provides fast, strong protection fo >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. -See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app. +See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints. @@ -60,8 +60,9 @@ The following table lists the services and their associated URLs that your netwo Used by Windows Defender Antivirus to provide cloud-delivered protection -*.wdcp.microsoft.com*
    -*.wdcpalt.microsoft.com* +*.wdcp.microsoft.com
    +*.wdcpalt.microsoft.com
    +*.wd.microsoft.com @@ -176,20 +177,20 @@ A similar message occurs if you are using Internet Explorer: ![Windows Defender Antivirus notification informing the user that malware was found](images/defender/wdav-bafs-ie.png) -You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app: +You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app: -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label: - ![Screenshot of the Scan history label in the Windows Defender Security Center app](images/defender/wdav-history-wdsc.png) + ![Screenshot of the Scan history label in the Windows Security app](images/defender/wdav-history-wdsc.png) 3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware: - ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png) + ![Screenshot of quarantined items in the Windows Security app](images/defender/wdav-quarantined-history-wdsc.png) >[!NOTE] ->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. +>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md index 6985bdef52..8a98cffbc7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise. @@ -28,7 +28,7 @@ You can also configure how standard notifications appear on endpoints, such as n ## Configure the additional notifications that appear on endpoints -You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy. +You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy. > [!NOTE] > In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**. @@ -36,13 +36,13 @@ You can configure the display of additional notifications, such as recent threat > [!IMPORTANT] > Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts. -**Use the Windows Defender Security Center app to disable additional notifications:** +**Use the Windows Security app to disable additional notifications:** -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png) + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Scroll to the **Notifications** section and click **Change notification settings**. @@ -71,9 +71,9 @@ You can use Group Policy to: Hiding notifications can be useful in situations where you can't hide the entire Windows Defender Antivirus interface. See [Prevent users from seeing or interacting with the Windows Defender Antivirus user interface](prevent-end-user-interaction-windows-defender-antivirus.md) for more information. > [!NOTE] -> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). +> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). -See [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. +See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines. **Use Group Policy to hide notifications:** diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md index 57a4d03e85..40785cfdec 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure exclusions for files opened by processes **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can exclude files that have been opened by specific processes from Windows Defender Antivirus scans. @@ -36,9 +36,9 @@ When you add a process to the process exclusion list, Windows Defender Antivirus The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans. -Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists. +Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists. -You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. +You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists. You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists. @@ -52,11 +52,11 @@ You can [configure how locally and globally defined exclusions lists are merged] **Use Microsoft Intune to exclude files that have been opened by specified processes from scans:** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. **Use System Center Configuration Manager to exclude files that have been opened by specified processes from scans:** -See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Exclusion settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings) for details on configuring System Center Configuration Manager (current branch). **Use Group Policy to exclude files that have been opened by specified processes from scans:** @@ -80,7 +80,7 @@ See [How to create and deploy antimalware policies: Exclusion settings](https:// **Use PowerShell cmdlets to exclude files that have been opened by specified processes from scans:** -Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender). +Using PowerShell to add or remove exclusions for files that have been opened by processes requires using a combination of three cmdlets with the `-ExclusionProcess` parameter. The cmdlets are all in the [Defender module](https://technet.microsoft.com/itpro/powershell/windows/defender/defender). The format for the cmdlets is: @@ -109,7 +109,7 @@ See [Manage antivirus with PowerShell cmdlets](use-powershell-cmdlets-windows-de **Use Windows Management Instruction (WMI) to exclude files that have been opened by specified processes from scans:** -Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [ **Set**, **Add**, and **Remove** methods of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI ExclusionProcess @@ -119,13 +119,13 @@ The use of **Set**, **Add**, and **Remove** is analogous to their counterparts i See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:** +**Use the Windows Security app to exclude files that have been opened by specified processes from scans:** -See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions. +See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions. @@ -147,14 +147,26 @@ Environment variables | The defined variable will be populated as a path when th ## Review the list of exclusions -You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +You can retrieve the items in the exclusion list with MpCmdRun, PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). If you use PowerShell, you can retrieve the list in two ways: - Retrieve the status of all Windows Defender Antivirus preferences. Each of the lists will be displayed on separate lines, but the items within each list will be combined into the same line. - Write the status of all preferences to a variable, and use that variable to only call the specific list you are interested in. Each use of `Add-MpPreference` is written to a new line. -**Review the list of exclusions alongside all other Windows Defender Antivirus preferences:** +**Validate the exclusion list by using MpCmdRun:** + +To check exclusions with the dedicated [command-line tool mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus?branch=v-anbic-wdav-new-mpcmdrun-options), use the following command: + +```DOS +MpCmdRun.exe -CheckExclusion -path +``` + +>[!NOTE] +>Checking exclusions with MpCmdRun requires Windows Defender Antivirus CAMP version 4.18.1812.3 (released in December 2018) or later. + + +**Review the list of exclusions alongside all other Windows Defender Antivirus preferences by using PowerShell:** Use the following cmdlet: @@ -164,7 +176,7 @@ Get-MpPreference See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Windows Defender Antivirus. -**Retrieve a specific exclusions list:** +**Retrieve a specific exclusions list by using PowerShell:** Use the following code snippet (enter each line as a separate command); replace **WDAVprefs** with whatever label you want to name the variable: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md index 61d9ada7c2..acb2c79bcf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus uses several methods to provide threat protection: diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md index d5a83c1e36..e063f1fda5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 11/13/2018 --- -# Enable and configure antivirius always-on protection and monitoring +# Enable and configure antivirus always-on protection and monitoring **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities. @@ -42,7 +42,7 @@ Location | Setting | Description | Default setting (if not configured) ---|---|---|--- Real-time protection | Monitor file and program activity on your computer | The Windows Defender Antivirus engine makes note of any file changes (file writes, such as moves, copies, or modifications) and general program activity (programs that are opened or running and that cause other programs to run) | Enabled Real-time protection | Scan all downloaded files and attachments | Downloaded files and attachments are automatically scanned. This operates in addition to the SmartScreen filter, which scans files before and during downloading | Enabled -Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have disabled real-time protection | Enabled +Real-time protection | Turn on process scanning whenever real-time protection is enabled | You can independently enable the Windows Defender Antivirus engine to scan running processes for suspicious modifications or behaviors. This is useful if you have temporarily disabled real-time protection and want to automatically scan processes that started while it was disabled | Enabled Real-time protection | Turn on behavior monitoring | The AV engine will monitor file processes, file and registry changes, and other events on your endpoints for suspicious and known malicious activity | Enabled Real-time protection | Turn on raw volume write notifications | Information about raw volume writes will be analyzed by behavior monitoring | Enabled Real-time protection | Define the maximum size of downloaded files and attachments to be scanned | You can define the size in kilobytes | Enabled diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md index 87ab0e1b1a..35159b5198 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md @@ -18,13 +18,13 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When Windows Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Windows Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats. -This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +This topic describes how to configure these settings with Group Policy, but you can also use [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#threat-overrides-settings) and [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). -You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) to configure these settings. +You can also use the [`Set-MpPreference` PowerShell cmdlet](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference) or [`MSFT_MpPreference` WMI class](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) to configure these settings. ## Configure remediation options diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 968c4850cb..d7c05e739f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -18,11 +18,11 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions. -These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). +These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics: @@ -70,14 +70,14 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to disable the auto-exclusions list on Windows Server 2016:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI DisableAutoExclusions ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## List of automatic exclusions The following sections contain the exclusions that are delivered with automatic exclusions file paths and file types. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index 03b6bf2fc1..1451728ecf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can configure Windows Defender Antivirus with a number of tools, including: diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md index 4487dc5453..ae4eee36d6 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Windows Defender Antivirus scans. @@ -30,5 +30,5 @@ Topic | Description [Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans -[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app -[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app +[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app +[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md index 4c1673e6f4..38147632bc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can deploy, manage, and report on Windows Defender Antivirus in a number of ways. @@ -36,12 +36,12 @@ You'll also see additional links for: Tool|Deployment options (2)|Management options (network-wide configuration and policy or baseline deployment) ([3](#fn3))|Reporting options ---|---|---|--- -Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/en-us/intune/device-management) +Microsoft Intune|[Add endpoint protection settings in Intune](https://docs.microsoft.com/intune/endpoint-protection-configure)|[Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure)| [Use the Intune console to manage devices](https://docs.microsoft.com/intune/device-management) System Center Configuration Manager ([1](#fn1))|Use the [Endpoint Protection point site system role][] and [enable Endpoint Protection with custom client settings][]|With [default and customized antimalware policies][] and [client management][]|With the default [Configuration Manager Monitoring workspace][] and [email alerts][] Group Policy and Active Directory (domain-joined)|Use a Group Policy Object to deploy configuration changes and ensure Windows Defender Antivirus is enabled.|Use Group Policy Objects (GPOs) to [Configure update options for Windows Defender Antivirus][] and [Configure Windows Defender features][]|Endpoint reporting is not available with Group Policy. You can generate a list of [Group Policies to determine if any settings or policies are not applied][] PowerShell|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set-MpPreference][] and [Update-MpSignature] [] cmdlets available in the Defender module|Use the appropriate [Get- cmdlets available in the Defender module][] Windows Management Instrumentation|Deploy with Group Policy, System Center Configuration Manager, or manually on individual endpoints.|Use the [Set method of the MSFT_MpPreference class][] and the [Update method of the MSFT_MpSignature class][]|Use the [MSFT_MpComputerStatus][] class and the get method of associated classes in the [Windows Defender WMIv2 Provider][] -Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/en-us/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. +Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by using Visual Studio virtual machine configuration, or using Azure PowerShell cmdlets](https://docs.microsoft.com/azure/security/azure-security-antimalware#antimalware-deployment-scenarios). You can also [Install Endpoint protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection)|Configure [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) or [use code samples](https://gallery.technet.microsoft.com/Antimalware-For-Azure-5ce70efe)|Use [Microsoft Antimalware for Virtual Machines and Cloud Services with Azure PowerShell cmdlets](https://docs.microsoft.com/powershell/servicemanagement/azure.antimalware/v3.4.0/azure.antimalware) to enable monitoring. You can also review usage reports in Azure Active Directory to determine suspicious activity, including the [Possibly infected devices][] report and configure an SIEM tool to report on [Windows Defender Antivirus events][] and add that tool as an app in AAD. 1. The availability of some functions and features, especially related to cloud-delivered protection, differ between System Center Configuration Manager (Current Branch) and System Center Configuration Manager 2012. In this library, we've focused on Windows 10, Windows Server 2016, and System Center Configuration Manager (Current Branch). See [Use Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for a table that describes the major differences. [(Return to table)](#ref2) @@ -49,28 +49,28 @@ Microsoft Azure|Deploy Microsoft Antimalware for Azure in the [Azure portal, by 3. Configuration of features and protection, including configuring product and protection updates, are further described in the [Configure Windows Defender Antivirus features](configure-notifications-windows-defender-antivirus.md) section in this library. [(Return to table)](#ref2) -[Endpoint Protection point site system role]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-site-role -[default and customized antimalware policies]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies -[client management]: https://docs.microsoft.com/en-us/sccm/core/clients/manage/manage-clients -[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection-configure-client -[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection -[email alerts]: https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts -[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune -[custom Intune policy]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection - [custom Intune policy]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection -[manage tasks]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection -[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection -[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/en-us/library/dn439474 -[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/en-us/library/dn439474 -[MSFT_MpComputerStatus]: https://msdn.microsoft.com/en-us/library/dn455321 -[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/en-us/library/dn439477 +[Endpoint Protection point site system role]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-site-role +[default and customized antimalware policies]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies +[client management]: https://docs.microsoft.com/sccm/core/clients/manage/manage-clients +[enable Endpoint Protection with custom client settings]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection-configure-client +[Configuration Manager Monitoring workspace]: https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection +[email alerts]: https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts +[Deploy the Microsoft Intune client to endpoints]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune +[custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection + [custom Intune policy]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#configure-microsoft-intune-endpoint-protection +[manage tasks]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#choose-management-tasks-for-endpoint-protection +[Monitor endpoint protection in the Microsoft Intune administration console]: https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune#monitor-endpoint-protection +[Set method of the MSFT_MpPreference class]: https://msdn.microsoft.com/library/dn439474 +[Update method of the MSFT_MpSignature class]: https://msdn.microsoft.com/library/dn439474 +[MSFT_MpComputerStatus]: https://msdn.microsoft.com/library/dn455321 +[Windows Defender WMIv2 Provider]: https://msdn.microsoft.com/library/dn439477 [Set-MpPreference]: https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference.md [Update-MpSignature]: https://technet.microsoft.com/itpro/powershell/windows/defender/update-mpsignature [Get- cmdlets available in the Defender module]: https://technet.microsoft.com/itpro/powershell/windows/defender/index [Configure update options for Windows Defender Antivirus]: manage-updates-baselines-windows-defender-antivirus.md [Configure Windows Defender features]: configure-windows-defender-antivirus-features.md -[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/en-us/library/cc771389.aspx -[Possibly infected devices]: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices +[Group Policies to determine if any settings or policies are not applied]: https://technet.microsoft.com/library/cc771389.aspx +[Possibly infected devices]: https://docs.microsoft.com/azure/active-directory/active-directory-reporting-sign-ins-from-possibly-infected-devices [Windows Defender Antivirus events]: troubleshoot-windows-defender-antivirus.md ## In this section diff --git a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md index 6efcc0eeef..59b048bfda 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Depending on the management tool you are using, you may need to specifically enable or configure Windows Defender Antivirus protection. diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index b0a425bb2b..97f4d15615 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) In addition to standard on-premises or hardware configurations, you can also use Windows Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment. @@ -39,7 +39,7 @@ For more details on the best configuration options to ensure a good balance betw See the [Microsoft Desktop virtualization site](https://www.microsoft.com/en-us/server-cloud/products/virtual-desktop-infrastructure/) for more details on Microsoft Remote Desktop Services and VDI support. -For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/en-us/azure/security-center/security-center-install-endpoint-protection) topic. +For Azure-based virtual machines, you can also review the [Install Endpoint Protection in Azure Security Center](https://docs.microsoft.com/azure/security-center/security-center-install-endpoint-protection) topic. There are three main steps in this guide to help roll out Windows Defender Antivirus protection across your VDI: @@ -59,7 +59,7 @@ There are three main steps in this guide to help roll out Windows Defender Antiv > While the VDI can be hosted on Windows Server 2012 or Windows Server 2016, the virtual machines (VMs) should be running Windows 10, 1607 at a minimum, due to increased protection technologies and features that are unavailable in earlier versions of Windows. >[!NOTE] ->When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) for more information. +>When you manage Windows with System Center Configuration Manager, Windows Defender Antivirus protection will be referred to as Endpoint Protection or System Center Endpoint Protection. See the [Endpoint Protection section at the Configuration Manager library]( https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) for more information. ## Create and deploy the base image @@ -76,7 +76,7 @@ First, you should create your base image according to your business needs, apply ### Apply protection updates to the base image -After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/en-us/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches. +After creating the image, you should ensure it is fully updated. See [Configure Windows Defender in Windows 10]( https://technet.microsoft.com/itpro/windows/keep-secure/configure-windows-defender-in-windows-10) for instructions on how to update Windows Defender Antivirus protection via WSUS, Microsoft Update, the MMPC site, or UNC file shares. You should ensure that your initial base image is also fully patched with Microsoft and Windows updates and patches. ### Seal the base image @@ -106,9 +106,9 @@ The following references provide ways you can create and deploy the base image a - [Single image management for Virtual Desktop Collections](https://blogs.technet.microsoft.com/enterprisemobility/2012/10/29/single-image-management-for-virtual-desktop-collections-in-windows-server-2012/) - [Using Hyper-V to create a Base OS image that can be used for VMs and VHDs](https://blogs.technet.microsoft.com/haroldwong/2011/06/12/using-hyper-v-to-create-a-base-os-image-that-can-be-used-for-vms-and-boot-to-vhd/) -- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016) -- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/en-us/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v) -- [Build Virtual Desktop templates]( https://technet.microsoft.com/en-us/library/dn645526(v=ws.11).aspx) +- [Plan for Hyper-V security in Windows Server 2016]( https://technet.microsoft.com/windows-server-docs/compute/hyper-v/plan/plan-for-hyper-v-security-in-windows-server-2016) +- [Create a virtual machine in Hyper-V (with a VHD)](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/get-started/create-a-virtual-machine-in-hyper-v) +- [Build Virtual Desktop templates]( https://technet.microsoft.com/library/dn645526(v=ws.11).aspx) ## Manage your VMs and base image @@ -128,7 +128,7 @@ If you are using a persistent VDI, you should update the base image monthly, and 3. [Configure the VMs to pull protection updates from the file share](manage-protection-updates-windows-defender-antivirus.md). -4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others. +4. Disable or delay automatic Microsoft updates on your VMs. See [Update Windows 10 in the enterprise](https://technet.microsoft.com/itpro/windows/manage/waas-update-windows-10) for information on managing operating system updates with WSUS, SCCM, and others. 5. On or just after each Patch Tuesday (the second Tuesday of each month), [update your base image with the latest protection updates from the MMPC website, WSUS, or Microsoft Update](manage-protection-updates-windows-defender-antivirus.md) Also apply all other Windows patches and fixes that were delivered on the Patch Tuesday. You can automate this by following the instructions in [Orchestrated offline VM Patching using Service Management Automation](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/). @@ -182,7 +182,7 @@ The start time of the scan itself is still based on the scheduled scan policy **Use Configuration Manager to randomize scheduled scans:** -See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Advanced settings]( https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#advanced-settings) for details on configuring System Center Configuration Manager (current branch). See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. @@ -205,7 +205,7 @@ Quick scans are the preferred approach as they are designed to look in all place **Use Configuration Manager to specify the type of scheduled scan:** -See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scheduled scans settings]( https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) for details on configuring System Center Configuration Manager (current branch). See [Schedule scans](scheduled-catch-up-scans-windows-defender-antivirus.md) for other configuration options available for scheduled scans. @@ -238,7 +238,7 @@ Sometimes, Windows Defender Antivirus notifications may be sent to or persist ac 3. Click **OK**. -3. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +3. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Disable scans after an update @@ -269,7 +269,7 @@ This setting will prevent a scan from occurring after receiving an update. You c 4. Click **OK**. -5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Scan VMs that have been offline @@ -297,15 +297,14 @@ This setting will help ensure protection for a VM that has been offline for some 4. Click **OK**. -5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ### Exclusions On Windows Server 2016, Windows Defender Antivirus will automatically deliver the right exclusions for servers running a VDI environment. However, if you are running an older Windows server version, you can refer to the exclusions that are applied on this page: -- [Automatic exclusions for Windows Server Antimalware](https://technet.microsoft.com/en-us/windows-server-docs/security/windows-defender/automatic-exclusions-for-windows-defender) +- [Configure Windows Defender Antivirus exclusions on Windows Server](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus) ## Additional resources - [Video: Microsoft Senior Program Manager Bryan Keller on how System Center Configuration Manger 2012 manages VDI and integrates with App-V]( http://channel9.msdn.com/Shows/Edge/Edge-Show-5-Manage-VDI-using-SCCM-2012#time=03m02s) -- [Project VRC: Windows Defender Antivirus impact and best practices on VDI](https://blogs.technet.microsoft.com/privatecloud/2013/12/06/orchestrated-offline-vm-patching-using-service-management-automation/) - [TechNet forums on Remote Desktop Services and VDI](https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverTS) - [SignatureDownloadCustomTask PowerShell script](https://www.powershellgallery.com/packages/SignatureDownloadCustomTask/1.4/DisplayScript) diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md index 692b68e71c..475e161a65 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 10/02/2018 --- # Detect and block potentially unwanted applications **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The potentially unwanted application (PUA) protection feature in Windows Defender Antivirus can identify and block PUAs from downloading and installing on endpoints in your network. @@ -49,7 +49,7 @@ The file is placed in the quarantine section so it won't run. When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:"). -They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). +They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). ## View PUA events @@ -61,28 +61,42 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det ## Configure PUA protection -You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, or PowerShell cmdlets. +You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets. You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log. This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives. -**Use Intune to configure the PUA protection feature** +**Use Intune to configure PUA protection** -See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. +See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details. -**Use Configuration Manager to configure the PUA protection feature:** +**Use Configuration Manager to configure PUA protection:** PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later. -See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Scheduled scans settings](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#real-time-protection-settings) for details on configuring System Center Configuration Manager (current branch). For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Application Protection Policy for Endpoint Protection in Configuration Manager](https://technet.microsoft.com/library/hh508770.aspx#BKMK_PUA). > [!NOTE] > PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager. -**Use PowerShell cmdlets to configure the PUA protection feature:** +**Use Group Policy to configure PUA protection:** + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Defender Antivirus**. + +4. Double-click **Configure protection for potentially unwanted applications**. + +5. Click **Enabled** to enable PUA protection. + +6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Click **OK**. + +**Use PowerShell cmdlets to configure PUA protection:** Use the following cmdlet: @@ -94,7 +108,7 @@ Setting the value for this cmdlet to `Enabled` will turn the feature on if it ha Setting `AuditMode` will detect PUAs but will not block them. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md index 67c5b7bdfa..bc76dcf3d8 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md @@ -18,12 +18,12 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates. -You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app. +You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app. See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection. @@ -36,7 +36,7 @@ There are specific network-connectivity requirements to ensure your endpoints ca 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). 4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. 5. On the **Cloud-delivered protection** switch, select **Enable**. 6. In the **Prompt users before sample submission** dropdown, select **Send all data without prompting**. @@ -50,11 +50,11 @@ There are specific network-connectivity requirements to ensure your endpoints ca 8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) **Use Configuration Manager to enable cloud-delivered protection:** -See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). **Use Group Policy to enable cloud-delivered protection:** @@ -90,11 +90,11 @@ Set-MpPreference -SubmitSamplesConsent Always >[!NOTE] >You can also set -SubmitSamplesConsent to `None`. Setting it to `Never` will lower the protection state of the device, and setting it to 2 means the [Block at First Sight](configure-block-at-first-sight-windows-defender-antivirus.md) feature will not function. -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to enable cloud-delivered protection:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn439474(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn439474(v=vs.85).aspx) class for the following properties: ```WMI MAPSReporting @@ -102,18 +102,18 @@ SubmitSamplesConsent ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) -**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app** +**Enable cloud-delivered protection on individual clients with the Windows Security app** > [!NOTE] > If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label: - ![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center app](images/defender/wdav-protection-settings-wdsc.png) + ![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) 3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**. @@ -125,8 +125,8 @@ See the following for more information and allowed parameters: - [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) - [Configure block at first sight](configure-block-at-first-sight-windows-defender-antivirus.md) - [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) -- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] -- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) +- [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune)] +- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) - [Utilize Microsoft cloud-delivered protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md index 72996630cf..e40b93abd1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/evaluate-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications. @@ -38,7 +38,7 @@ The guide is available in PDF format for offline viewing: You can also download a PowerShell that will enable all the settings described in the guide automatically. You can obtain the script alongside the PDF download above, or individually from PowerShell Gallery: -- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings/1.2/DisplayScript) +- [Download the PowerShell script to automatically configure the settings](https://www.powershellgallery.com/packages/WindowsDefender_InternalEvaluationSettings) > [!IMPORTANT] > The guide is currently intended for single-machine evaluation of Windows Defender Antivirus. Enabling all of the settings in this guide may not be suitable for real-world deployment. diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md index d35db44c87..923a59f0ba 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md @@ -20,7 +20,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device. @@ -34,11 +34,11 @@ By default, Windows Defender Antivirus will enable itself on a Windows 10 device If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device: -![Windows Defender Security Center app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) +![Windows Security app showing Windows Defender AV options, including scan options, settings, and update options](images/vtp-wdav.png) -If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: +If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options: -![Windows Defender Security Center app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) +![Windows Security app showing ContosoAV as the installed and running antivirus provider. There is a single link to open ContosoAV settings.](images/vtp-3ps.png) Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md index 2209e57918..6b53608726 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-event-based-updates-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service. @@ -34,7 +34,7 @@ You can use System Center Configuration Manager, Group Policy, PowerShell cmdlet 3. Click **OK**. -4.[Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +4.[Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). **Use Group Policy to check for protection updates before running a scan:** @@ -58,18 +58,18 @@ Use the following cmdlets: Set-MpPreference -CheckForSignaturesBeforeRunningScan ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to check for protection updates before running a scan** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI CheckForSignaturesBeforeRunningScan ``` See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Check for protection updates on startup @@ -111,18 +111,18 @@ Use the following cmdlets: Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine ``` -See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to download updates when Windows Defender Antivirus is not present:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureDisableUpdateOnStartupWithoutEngine ``` See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md index 210423199c..7639c8e05b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis. @@ -41,7 +41,7 @@ If Windows Defender Antivirus did not download protection updates for a specifie 3. Click **OK**. -4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). **Use Group Policy to enable and configure the catch-up update feature:** @@ -65,18 +65,18 @@ Use the following cmdlets: Set-MpPreference -SignatureUpdateCatchupInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to configure catch-up protection updates:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureUpdateCatchupInterval ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) @@ -148,11 +148,11 @@ Set-MpPreference -DisableCatchupQuickScan ``` -See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to manage Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to configure catch-up scans:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI DisableCatchupFullScan @@ -160,7 +160,7 @@ DisableCatchupQuickScan ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) **Use Configuration Manager to configure catch-up scans:** @@ -171,7 +171,7 @@ See the following for more information and allowed parameters: 3. Click **OK**. -4. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +4. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md index efcd9e0cfc..bb3a6e46d7 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-update-schedule-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus lets you determine when it should look for and download updates. @@ -42,7 +42,7 @@ You can also randomize the times when each endpoint checks and downloads protect 3 4. To check and download updates on a continual interval, Set **Check for Endpoint Protection definitions at a specific interval...** to the number of hours that should occur between updates. -5. [Deploy the updated policy as usual](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). +5. [Deploy the updated policy as usual](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#deploy-an-antimalware-policy-to-client-computers). **Use Group Policy to schedule protection updates:** @@ -73,11 +73,11 @@ Set-MpPreference -SignatureScheduleTime Set-MpPreference -SignatureUpdateInterval ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to schedule protection updates:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureScheduleDay @@ -86,7 +86,7 @@ SignatureUpdateInterval ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index e550220a80..24e05dd41a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -59,7 +59,7 @@ The WSUS, Configuration Manager, and MMPC sources will deliver less frequent upd > [!IMPORTANT] > If you have set MMPC as a fallback source after WSUS or Microsoft Update, updates will only be downloaded from MMPC when the current update is considered to be out-of-date (by default, this is 2 consecutive days of not being able to apply updates from the WSUS or Microsoft Update services). -> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). +> You can, however, [set the number of days before protection is reported as out-of-date](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: @@ -69,13 +69,13 @@ WSUS | You are using WSUS to manage updates for your network. Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates. File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. Configuration Manager | You are using System Center Configuration Manager to update your endpoints. -MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). +MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. It will only be used if updates cannot be downloaded from WSUS or Microsoft Update for [a specified number of days](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/manage-outdated-endpoints-windows-defender-antivirus#set-the-number-of-days-before-protection-is-reported-as-out-of-date). You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. > [!IMPORTANT] -> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details. +> If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details. The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it. @@ -101,14 +101,14 @@ The procedures in this article first describe how to set the order, and then how 1. Double-click the **Define file shares for downloading definition updates** setting and set the option to **Enabled**. - 2. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/en-us/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates. + 2. Enter the file share source. If you have multiple sources, enter each source in the order they should be used, separated by a single pipe. Use [standard UNC notation](https://msdn.microsoft.com/library/gg465305.aspx) for denoting the path, for example: `\\host-name1\share-name\object-name|\\host-name2\share-name\object-name`. If you do not enter any paths then this source will be skipped when the VM downloads updates. 3. Click **OK**. This will set the order of file shares when that source is referenced in the **Define the order of sources...** group policy setting. **Use Configuration Manager to manage the update location:** -See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). +See [Configure Definition Updates for Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-definition-updates) for details on configuring System Center Configuration Manager (current branch). **Use PowerShell cmdlets to manage the update location:** @@ -120,14 +120,14 @@ Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION} Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH} ``` See the following for more information: -- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder) -- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) +- [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder) +- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources) - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) -- [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) +- [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) **Use Windows Management Instruction (WMI) to manage the update location:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureFallbackOrder @@ -135,11 +135,11 @@ SignatureDefinitionUpdateFileSharesSouce ``` See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) **Use Mobile Device Management (MDM) to manage the update location:** -See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM. +See [Policy CSP - Defender/SignatureUpdateFallbackOrder](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-signatureupdatefallbackorder) for details on configuring MDM. diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index b3541abe11..c1d9aad15b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -18,13 +18,13 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) There are two types of updates related to keeping Windows Defender Antivirus up to date: 1. Protection updates 2. Product updates -You can also apply [Windows security baselines](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. +You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. ## Protection updates @@ -35,9 +35,9 @@ The cloud-delivered protection is always on and requires an active connection to ## Product updates -Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/en-us/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. -You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +You can manage the distribution of updates through Windows Server Update Service (WSUS), with [System Center Configuration Manager](https://docs.microsoft.com/sccm/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. ## In this section diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md index ee85e54424..4ea81cd37f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-mobile-devices-vms-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Mobile devices and VMs may require additional configuration to ensure performance is not impacted by updates. diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md index 73d8882279..880d56c9e3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Hide the Windows Defender Antivirus interface -description: You can hide virus and threat protection tile in the Windows Defender Security Center app. +description: You can hide virus and threat protection tile in the Windows Security app. keywords: ui lockdown, headless mode, hide app, hide settings, hide interface search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -18,21 +18,21 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can use Group Policy to prevent users on endpoints from seeing the Windows Defender Antivirus interface. You can also prevent them from pausing scans. ## Hide the Windows Defender Antivirus interface -In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app. +In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app. With the setting set to **Enabled**: -![Screenshot of Windows Defender Security Center without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png) +![Screenshot of Windows Security without the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-1703.png) With the setting set to **Disabled** or not configured: -![Scheenshot of Windows Defender Security Center showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) +![Scheenshot of Windows Security showing the shield icon and virus and threat protection section](images/defender/wdav-headless-mode-off-1703.png) >[!NOTE] >Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md index 938413082b..efa0d8b522 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus.md @@ -18,22 +18,22 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) There are a number of ways you can review protection status and alerts, depending on the management tool you are using for Windows Defender Antivirus. -You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/en-us/intune/introduction-intune). +You can use System Center Configuration Manager to [monitor Windows Defender Antivirus](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection) or [create email alerts](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-configure-alerts), or you can also monitor protection using [Microsoft Intune](https://docs.microsoft.com/intune/introduction-intune). Microsoft Operations Management Suite has an [Update Compliance add-in](/windows/deployment/update/update-compliance-get-started) that reports on key Windows Defender Antivirus issues, including protection updates and real-time protection settings. -If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/en-us/library/windows/desktop/aa964766(v=vs.85).aspx). +If you have a third-party security information and event management (SIEM) tool, you can also consume [Windows Defender client events](https://msdn.microsoft.com/library/windows/desktop/aa964766(v=vs.85).aspx). Windows events comprise several security event sources, including Security Account Manager (SAM) events ([enhanced for Windows 10](https://technet.microsoft.com/library/mt431757.aspx), also see the [Security audting](/windows/device-security/auditing/security-auditing-overview) topic) and [Windows Defender events](troubleshoot-windows-defender-antivirus.md). -These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/en-us/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM. +These events can be centrally aggregated using the [Windows event collector](https://msdn.microsoft.com/library/windows/desktop/bb427443(v=vs.85).aspx). It is common practice for SIEMs to have connectors for Windows events. This technique allows for correlation of all security events from the machine in the SIEM. -You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-malware). +You can also [monitor malware events using the Malware Assessment solution in Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-malware). For monitoring or determining status with PowerShell, WMI, or Microsoft Azure, see the [(Deployment, management, and reporting options table)](deploy-manage-report-windows-defender-antivirus.md#ref2). diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 37c8231fb3..10d6f5bedc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -11,21 +11,21 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 11/16/2018 --- # Restore quarantined files in Windows Defender AV **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them. -1. Open **Windows Defender Security Center**. -2. Click **Virus & threat protection** and then click **Scan history**. +1. Open **Windows Security**. +2. Click **Virus & threat protection** and then click **Threat History**. 3. Under **Quarantined threats**, click **See full history**. -4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.) +4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md index 802c92f163..c75f970b7b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Review the results of Windows Defender AV scans -description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app +description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app keywords: scan results, remediation, full scan, quick scan search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) After an Windows Defender Antivirus scan completes, whether it is an [on-demand](run-scan-windows-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-windows-defender-antivirus.md), the results are recorded and you can view the results. @@ -31,12 +31,12 @@ After an Windows Defender Antivirus scan completes, whether it is an [on-demand] **Use Configuration Manager to review scan results:** -See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection). +See [How to monitor Endpoint Protection status](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection). -**Use the Windows Defender Security Center app to review scan results:** +**Use the Windows Security app to review scan results:** -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label. @@ -70,7 +70,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to review scan results:** -Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) classes. +Use the [**Get** method of the **MSFT_MpThreat** and **MSFT_MpThreatDetection**](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) classes. diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md index 9a93cd3335..7f0a6d6037 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Run and customize on-demand scans in Windows Defender AV -description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app +description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app keywords: scan, on-demand, dos, intune, instant scan search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type. @@ -33,10 +33,12 @@ In most instances, this means a quick scan is adequate to find malware that wasn A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans. +>[!NOTE] +>By default, quick scans run on mounted removable devices, such as USB drives. **Use Configuration Manager to run a scan:** -See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. +See [Antimalware and firewall tasks: How to perform an on-demand scan](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-firewall#how-to-perform-an-on-demand-scan-of-computers) for details on using System Center Configuration Manager (current branch) to run a scan. **Use the mpcmdrum.exe command-line utility to run a scan:** @@ -59,9 +61,9 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen 2. Select **...More** and then select **Quick Scan** or **Full Scan**. -**Use the Windows Defender Security Center app to run a scan:** +**Use the Windows Security app to run a scan:** -See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. +See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints. @@ -78,10 +80,10 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to run a scan:** -Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/en-us/library/dn455324(v=vs.85).aspx#methods) class. +Use the [**Start** method of the **MSFT_MpScan**](https://msdn.microsoft.com/library/dn455324(v=vs.85).aspx#methods) class. See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md index 4bb34b0d77..d40f911f2e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md @@ -11,14 +11,14 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 09/03/2018 +ms.date: 12/10/2018 --- # Configure scheduled quick or full Windows Defender Antivirus scans **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) > [!NOTE] > By default, Windows Defender Antivirus checks for an update 15 minutes before the time of any scheduled scans. You can [Manage the schedule for when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) to override this default. @@ -28,7 +28,7 @@ In addition to always-on real-time protection and [on-demand](run-scan-windows-d You can configure the type of scan, when the scan should occur, and if the scan should occur after a [protection update](manage-protection-updates-windows-defender-antivirus.md) or if the endpoint is being used. You can also specify when special scans to complete remediation should occur. -This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +This topic describes how to configure scheduled scans with Group Policy, PowerShell cmdlets, and WMI. You can also configure schedules scans with [System Center Configuration Manager](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#scheduled-scans-settings) or [Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). To configure the Group Policy settings described in this topic: @@ -42,7 +42,6 @@ To configure the Group Policy settings described in this topic: 6. Double-click the policy **Setting** as specified in the table below, and set the option to your desired configuration. Click **OK**, and repeat for any other settings. - Also see the [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) and [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md) topics. ## Quick scan versus full scan and custom scan @@ -57,12 +56,17 @@ In most instances, this means a quick scan is adequate to find malware that wasn A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md). -A custom scan allows you to specify the files and folders to scan, such as a USB drive. +A custom scan allows you to specify the files and folders to scan, such as a USB drive. + +>[!NOTE] +>By default, quick scans run on mounted removable devices, such as USB drives. ## Set up scheduled scans Scheduled scans will run at the day and time you specify. You can use Group Policy, PowerShell, and WMI to configure scheduled scans. +>[!NOTE] +>If a computer is unplugged and running on battery during a scheduled full scan, the scheduled scan will stop with event 1002, which states that the scan stopped before completion. Windows Defender Antivirus will run a full scan at the next scheduled time. **Use Group Policy to schedule scans:** @@ -89,7 +93,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to schedule scans:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureFallbackOrder @@ -97,7 +101,7 @@ SignatureDefinitionUpdateFileSharesSouce ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) @@ -124,7 +128,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI):** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureFallbackOrder @@ -132,7 +136,7 @@ SignatureDefinitionUpdateFileSharesSouce ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Configure when full scans should be run to complete remediation @@ -160,7 +164,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI):** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureFallbackOrder @@ -168,7 +172,7 @@ SignatureDefinitionUpdateFileSharesSouce ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) @@ -197,7 +201,7 @@ See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use **Use Windows Management Instruction (WMI) to schedule daily scans:** -Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class for the following properties: +Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class for the following properties: ```WMI SignatureFallbackOrder @@ -205,7 +209,7 @@ SignatureDefinitionUpdateFileSharesSouce ``` See the following for more information and allowed parameters: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) ## Enable scans after protection updates diff --git a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md index 592aa7ffe9..fe11787198 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can specify the level of cloud-protection offered by Windows Defender Antivirus with Group Policy and System Center Configuration Manager. @@ -31,7 +31,7 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi 1. Sign in to the [Azure portal](https://portal.azure.com). 2. Select **All services > Intune**. -3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +3. In the **Intune** pane, select **Device configuration > Profiles**, and then select the **Device restrictions** profile type you want to configure. If you haven't yet created a **Device restrictions** profile type, or if you want to create a new one, see [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/intune/device-restrictions-configure). 4. Select **Properties**, select **Settings: Configure**, and then select **Windows Defender Antivirus**. 5. On the **File Blocking Level** switch, select one of the following: @@ -44,12 +44,12 @@ You can specify the level of cloud-protection offered by Windows Defender Antivi 8. Click **OK** to exit the **Windows Defender Antivirus** settings pane, click **OK** to exit the **Device restrictions** pane, and then click **Save** to save the changes to your **Device restrictions** profile. -For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/en-us/intune/device-profiles) +For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) **Use Configuration Manager to specify the level of cloud-delivered protection:** -1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). +1. See [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) for details on configuring System Center Configuration Manager (current branch). **Use Group Policy to specify the level of cloud-delivered protection:** @@ -74,6 +74,6 @@ For more information about Intune device profiles, including how to create and c - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) -- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) +- [How to create and deploy antimalware policies: Cloud-protection service](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-antimalware-policies#cloud-protection-service) diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index ae18d78a72..d1ae21771c 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) When you use [Windows Analytics Update Compliance to obtain reporting into the protection status of machines or endpoints](/windows/deployment/update/update-compliance-using#wdav-assessment) in your network that are using Windows Defender Antivirus, you may encounter problems or issues. @@ -47,7 +47,7 @@ In order for devices to properly show up in Update Compliance, you have to meet >- Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](windows-defender-antivirus-compatibility.md) and the endpoint will not be reported in Update Compliance. > - [Cloud-delivered protection is enabled](enable-cloud-protection-windows-defender-antivirus.md). > - Endpoints can [connect to the Windows Defender AV cloud](configure-network-connections-windows-defender-antivirus.md#validate-connections-between-your-network-and-the-cloud) -> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/en-us/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). +> - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). > - It has been 3 days since all requirements have been met If the above pre-requisites have all been met, you may need to proceed to the next step to collect diagnostic information and send it to us. diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md index a40df9b551..d23df5b8f1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/11/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) If you encounter a problem with Windows Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md index d4fbc2f0c0..6581b10ed3 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-group-policy-windows-defender-antivirus.md @@ -18,9 +18,9 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -You can use [Group Policy](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. +You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Windows Defender Antivirus on your endpoints. In general, you can use the following procedure to configure or change Windows Defender Antivirus group policy settings: @@ -34,7 +34,7 @@ In general, you can use the following procedure to configure or change Windows D 6. Expand the section (referred to as **Location** in the table in this topic) that contains the setting you want to configure, double-click the setting to open it, and make configuration changes. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). The following table in this topic lists the Group Policy settings available in Windows 10, version 1703, and provides links to the appropriate topic in this documentation library (where applicable). diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md index 618ef1fa2f..89cf104935 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-intune-config-manager-windows-defender-antivirus.md @@ -18,15 +18,15 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) If you are using System Center Configuration Manager or Microsoft Intune to manage the endpoints on your network, you can also use them to manage Windows Defender Antivirus scans. In some cases, the protection will be labeled as Endpoint Protection, although the engine is the same as that used by Windows Defender Antivirus. -See the [Endpoint Protection](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. +See the [Endpoint Protection](https://docs.microsoft.com/sccm/protect/deploy-use/endpoint-protection) library on docs.microsoft.com for information on using Configuration Manager. -For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/en-us/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure). +For Microsoft Intune, consult the [Microsoft Intune library](https://docs.microsoft.com/intune/introduction-intune) and [Configure device restriction settings in Intune](https://docs.microsoft.com/intune/device-restrictions-configure). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md index 65ac1a5a70..25ca31aa0a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus.md @@ -18,16 +18,16 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/en-us/powershell/mt173057.aspx). +You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration, and you can read more about it at the [PowerShell hub on MSDN](https://msdn.microsoft.com/powershell/mt173057.aspx). -For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) topic. +For a list of the cmdlets and their functions and available parameters, see the [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) topic. PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software. > [!NOTE] -> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/en-us/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/en-us/kb/927367). +> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [System Center Configuration Manager](https://technet.microsoft.com/library/gg682129.aspx), [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), or [Windows Defender Antivirus Group Policy ADMX templates](https://support.microsoft.com/kb/927367). Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell. diff --git a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md index 4d68937d13..0ae7bc9771 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/use-wmi-windows-defender-antivirus.md @@ -18,15 +18,15 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings. -Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/en-us/library/aa394582(v=vs.85).aspx). +Read more about WMI at the [Microsoft Developer Network System Administration library](https://msdn.microsoft.com/library/aa394582(v=vs.85).aspx). Windows Defender Antivirus has a number of specific WMI classes that can be used to perform most of the same functions as Group Policy and other management tools. Many of the classes are analogous to [Defender PowerShell cmdlets](use-powershell-cmdlets-windows-defender-antivirus.md). -The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts. +The [MSDN Windows Defender WMIv2 Provider reference library](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) lists the available WMI classes for Windows Defender Antivirus, and includes example scripts. Changes made with WMI will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, System Center Configuration Manager, or Microsoft Intune can overwrite changes made with WMI. diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 3c436236fe..aebdd79b52 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Microsoft next-gen technologies in Windows Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models. diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index 2aa61cadf2..97655419cf 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. @@ -50,9 +50,9 @@ See the [Windows Defender Antivirus on Windows Server 2016](windows-defender-ant >[!IMPORTANT] >Windows Defender AV is only available on endpoints running Windows 10 or Windows Server 2016. > ->In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/en-us/library/hh508760.aspx), which is managed through System Center Configuration Manager. +>In Windows 8.1 and Windows Server 2012, enterprise-level endpoint antivirus protection is offered as [System Center Endpoint Protection](https://technet.microsoft.com/library/hh508760.aspx), which is managed through System Center Configuration Manager. > ->Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/en-us/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). +>Windows Defender is also offered for [consumer devices on Windows 8.1 and Windows Server 2012](https://technet.microsoft.com/library/dn344918#BKMK_WindowsDefender), although it does not provide enterprise-level management (or an interface on Windows Server 2012 Server Core installations). This table indicates the functionality and features that are available in each state: @@ -72,11 +72,11 @@ In passive and automatic disabled mode, you can still [manage updates for Window If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode. >[!WARNING] ->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app. +>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Security app. > >This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks. > ->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). +>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index c0484875ec..7e7820edbb 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus is a built-in antimalware solution that provides next generation protection for desktops, portable computers, and servers. @@ -43,7 +43,7 @@ You can configure and manage Windows Defender Antivirus with: ## What's new in Windows 10, version 1803 - The [block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings. +- The [Virus & threat protection area in the Windows Security app](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings. ## What's new in Windows 10, version 1703 @@ -51,7 +51,7 @@ You can configure and manage Windows Defender Antivirus with: New features for Windows Defender Antivirus in Windows 10, version 1703 include: - [Updates to how the block at first sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md) - [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) +- [Windows Defender Antivirus protection in the Windows Security app](windows-defender-security-center-antivirus.md) We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender Antivirus, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios: - [Evaluation guide for Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) @@ -69,13 +69,13 @@ Functionality, configuration, and management is largely the same when using Wind ## Related topics -[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md) -[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) -[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) -[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) -[Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) -[Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) -[Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) -[Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) -[Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) +- [Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md) +- [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md) +- [Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md) +- [Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md) +- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) +- [Configure Windows Defender AV features](configure-windows-defender-antivirus-features.md) +- [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md) +- [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md) +- [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md index 2c18d5b068..e0ce8b36b5 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md @@ -18,7 +18,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Antivirus is available on Windows Server 2016. In some instances it is referred to as Endpoint Protection - however, the protection engine is the same. @@ -44,13 +44,13 @@ This topic includes the following instructions for setting up and running Window By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required. >[!NOTE] ->You can't uninstall the Windows Defender Security Center app, but you can disable the interface with these instructions. +>You can't uninstall the Windows Security app, but you can disable the interface with these instructions. If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option. ![Add roles and feature wizard showing the GUI for Windows Defender option](images/server-add-gui.png) -See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/en-us/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard. +See the [Install or uninstall roles, role services, or features](https://docs.microsoft.com/windows-server/administration/server-manager/install-or-uninstall-roles-role-services-or-features) topic for information on using the wizard. The following PowerShell cmdlet will also enable the interface: diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md index 4f28c692b5..b705e33977 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md @@ -18,13 +18,13 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR). You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak. -In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. +In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media. ## Pre-requisites and requirements @@ -86,7 +86,7 @@ You can run a Windows Defender Offline scan with the following: - PowerShell - Windows Management Instrumentation (WMI) -- The Windows Defender Security Center app +- The Windows Security app @@ -98,11 +98,11 @@ Use the following cmdlets: Start-MpWDOScan ``` -See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/en-us/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. +See [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx) for more information on how to use PowerShell with Windows Defender Antivirus. **Use Windows Management Instruction (WMI) to run an offline scan:** -Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/en-us/library/dn455323(v=vs.85).aspx) class to run an offline scan. +Use the [**MSFT_MpWDOScan**](https://msdn.microsoft.com/library/dn455323(v=vs.85).aspx) class to run an offline scan. The following WMI script snippet will immediately run a Windows Defender Offline scan, which will cause the endpoint to restart, run the offline scan, and then restart and boot into Windows. @@ -111,12 +111,12 @@ wmic /namespace:\\root\Microsoft\Windows\Defender path MSFT_MpWDOScan call Start ``` See the following for more information: -- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx) +- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/library/dn439477(v=vs.85).aspx) **Use the Windows Defender Security app to run an offline scan:** -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label: @@ -130,7 +130,7 @@ See the following for more information: ## Review scan results -Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history). +Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history). ## Related topics diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index ae068a7b88..ca5529dfa1 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Antivirus in the Windows Defender Security Center app -description: Windows Defender AV is now included in the Windows Defender Security Center app. +title: Windows Defender Antivirus in the Windows Security app +description: Windows Defender AV is now included in the Windows Security app. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -14,41 +14,41 @@ ms.author: v-anbic ms.date: 09/03/2018 --- -# Windows Defender Antivirus in the Windows Defender Security Center app +# Windows Defender Antivirus in the Windows Security app **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Defender Security Center. +In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security. Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703. > [!IMPORTANT] -> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. +> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date. > [!WARNING] -> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. >It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. >This will significantly lower the protection of your device and could lead to malware infection. -See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. +See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app. >[!NOTE] ->The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). -**Review virus and threat protection settings in the Windows Defender Security Center app:** +**Review virus and threat protection settings in the Windows Security app:** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). -![Screenshot of the Virus & threat protection settings label in the Windows Defender Security Center](images/defender/wdav-protection-settings-wdsc.png) +![Screenshot of the Virus & threat protection settings label in the Windows Security app](images/defender/wdav-protection-settings-wdsc.png) ## Comparison of settings and functions of the old app and the new app -All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security Center app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. +All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app. The following diagrams compare the location of settings and functions between the old and new apps: @@ -67,14 +67,14 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De ## Common tasks -This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Defender Security Center app. +This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app. > [!NOTE] > If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured. -**Run a scan with the Windows Defender Security Center app** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +**Run a scan with the Windows Security app** +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -83,8 +83,8 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan. -**Review the definition update version and download the latest updates in the Windows Defender Security Center app** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +**Review the definition update version and download the latest updates in the Windows Security app** +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -96,9 +96,9 @@ This section describes how to perform some of the most common tasks when reviewi -**Ensure Windows Defender Antivirus is enabled in the Windows Defender Security Center app** +**Ensure Windows Defender Antivirus is enabled in the Windows Security app** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -108,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi >[!NOTE] >If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats. ->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). +>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md). -**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +**Add exclusions for Windows Defender Antivirus in the Windows Security app** +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). @@ -135,13 +135,13 @@ This section describes how to perform some of the most common tasks when reviewi **Set ransomware protection and recovery options** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). 3. Click **Ransomware protection**. -4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard). +4. To change Controlled folder access settings, see [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard). 5. To set up ransomware recovery options, click **Set up** under **Ransomware data recovery** and follow the instructions for linking or setting up your OneDrive account so you can easily recover from a ransomware attack. diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 123f439d6f..8b71416a15 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -22,6 +22,7 @@ ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use WDAC with .NET hardening](use-windows-defender-application-control-with-dynamic-code-security.md) +### [Query WDAC events with Advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) #### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 689be7ba29..d85ed0d63b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -50,7 +50,7 @@ AppLocker helps administrators control how users can access and use files, such You can administer AppLocker policies by using the Group Policy Management Console to create or edit a Group Policy Object (GPO), or to create or edit an AppLocker policy on a local computer by using the Local Group Policy Editor snap-in or the Local Security Policy snap-in (secpol.msc). -### Administer Applocker using Group Policy +### Administer AppLocker using Group Policy You must have Edit Setting permission to edit a GPO. By default, members of the **Domain Admins** group, the **Enterprise Admins** group, and the **Group Policy Creator Owners** group have this permission. Also, the Group Policy Management feature must be installed on the computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 9da9555294..83fd5dc5c5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -116,7 +116,7 @@ The following table details these path variables. | Windows directory or disk | AppLocker path variable | Windows environment variable | | - | - | - | | Windows| %WINDIR%| %SystemRoot%| -| System32| %SYSTEM32%| %SystemDirectory%| +| System32 and SysWOW64| %SYSTEM32%| %SystemDirectory%| | Windows installation directory| %OSDRIVE%| %SystemDrive%| | Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% | | Removable media (for example, a CD or DVD)| %REMOVABLE%| | diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index ce654afdd8..b5d1cd4483 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -65,7 +65,7 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin ``` -After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. +After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (InitialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security. > [!Note] > We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 26155f371a..8522325f19 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -42,7 +42,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you - windbg.exe - wmic.exe -[1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/en-us/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. +[1]A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](https://docs.microsoft.com/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked. [2]If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you whitelist msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe. diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md new file mode 100644 index 0000000000..b1018f5e79 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -0,0 +1,39 @@ +--- +title: Querying Application Control events centrally using Advanced hunting (Windows 10) +description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: mdsakibMSFT +ms.author: justinha +ms.date: 12/06/2018 +--- + +# Querying Application Control events centrally using Advanced hunting + +A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. +While Event Viewer helps to see the impact on a single system, IT Pros want to gauge the impact across many systems. + +In November 2018, we added functionality in Windows Defender Advanced Threat Protection (Windows Defender ATP) that makes it easy to view WDAC events centrally from all systems that are connected to Windows Defender ATP. + +Advanced hunting in Windows Defender ATP allows customers to query data using a rich set of capabilities. WDAC events can be queried with using an ActionType that starts with “AppControl”. +This capability is supported beginning with Windows version 1607. + +Here is a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Windows Defender ATP: + +``` +MiscEvents +| where EventTime > ago(7d) and +ActionType startswith "AppControl" +| summarize Machines=dcount(ComputerName) by ActionType +| order by Machines desc +``` + +The query results can be used for several important functions related to managing WDAC including: + +- Assessing the impact of deploying policies in audit mode + Since applications still run in audit mode, it is an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would impact those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode. +- Monitoring blocks from policies in enforced mode + Policies deployed in enforced mode may block executables or scripts that fail to meet any of the included allow rules. Legitimate new applications and updates or potentially unwanted or malicious software could be blocked. In either case, the Advanced hunting queries report the blocks for further investigation. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 2c07c12e12..b5c590602d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: jsuther1974 -ms.date: 05/03/2018 +ms.date: 01/08/2019 --- # Windows Defender Application Control @@ -17,6 +17,7 @@ ms.date: 05/03/2018 - Windows 10 - Windows Server 2016 +- Windows Server 2019 With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. In most organizations, information is the most valuable asset, and ensuring that only approved users have access to that information is imperative. @@ -36,9 +37,9 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements -WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. -Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016. +WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. +They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. +Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality diff --git a/windows/security/threat-protection/windows-defender-application-guard/TOC.md b/windows/security/threat-protection/windows-defender-application-guard/TOC.md new file mode 100644 index 0000000000..9e42b2b691 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-guard/TOC.md @@ -0,0 +1,7 @@ +# [Windows Defender Application Guard](wd-app-guard-overview.md) + +## [System requirements](reqs-wd-app-guard.md) +## [Install WDAG](install-wd-app-guard.md) +## [Configure WDAG policies](configure-wd-app-guard.md) +## [Test scenarios](test-scenarios-wd-app-guard.md) +## [FAQ](faq-wd-app-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index d1ce22572e..3579ace8b1 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -8,23 +8,23 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/19/2017 +ms.date: 10/17/2017 --- # Configure Windows Defender Application Guard policy settings -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. Application Guard uses both network isolation and application-specific settings. -### Network isolation settings +## Network isolation settings These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. >[!NOTE] ->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. +>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. |Policy name|Supported versions|Description| @@ -33,15 +33,18 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| -### Application-specific settings +## Application-specific settings These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard. |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
    • Disable the clipboard functionality completely when Virtualization Security is enabled.
    • Enable copying of certain content from Application Guard into Microsoft Edge.
    • Enable copying of certain content from Microsoft Edge into Application Guard.

      **Important**
      Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
    • Enable Application Guard to print into the XPS format.
    • Enable Application Guard to print into the PDF format.
    • Enable Application Guard to print to locally attached printers.
    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| -|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | -|Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
    **To reset the container:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`.
      The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
      The container environment is reset, including discarding all employee-generated data.
    | +|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
    • Disable the clipboard functionality completely when Virtualization Security is enabled.
    • Enable copying of certain content from Application Guard into Microsoft Edge.
    • Enable copying of certain content from Microsoft Edge into Application Guard.

      **Important**
      Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
    **Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| +|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
    • Enable Application Guard to print into the XPS format.
    • Enable Application Guard to print into the PDF format.
    • Enable Application Guard to print to locally attached printers.
    • Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.
    **Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.

    **Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | +|Allow Persistence|Windows 10 Enterprise, 1709 or higher

    Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

    **Disabled or not configured.** All user data within Application Guard is reset between sessions.

    **Note**
    If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
    **To reset the container:**
    1. Open a command-line program and navigate to Windows/System32.
    2. Type `wdagtool.exe cleanup`.
      The container environment is reset, retaining only the employee-generated data.
    3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.
      The container environment is reset, including discarding all employee-generated data.
    | |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.

    **Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803

    (experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

      **Important**
      Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.

    **Note**
    This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.

    **Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher

    Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.

      **Important**
      Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

    **Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher

    Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.

    **Important**
    Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

    **Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Windows Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

    Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

    **Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.| +|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.

    **Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 06a0ab7b13..0c72267505 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 11/07/2017 # Frequently asked questions - Windows Defender Application Guard -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png new file mode 100644 index 0000000000..3c1b046b93 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png new file mode 100644 index 0000000000..78552bf6db Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-root-certificates.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png new file mode 100644 index 0000000000..08cb4d5676 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png new file mode 100644 index 0000000000..9e58d99ead Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-guard/images/appguard-security-center-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index c483df5917..bcc683e524 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -14,7 +14,7 @@ ms.date: 10/19/2017 # Prepare to install Windows Defender Application Guard **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) ## Review system requirements @@ -26,7 +26,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio |Hardware|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

    **-AND-**

    One of the following virtualization extensions for VBS:

    VT-x (Intel)

    **-OR-**

    AMD-V| |Hardware memory|Microsoft requires a minimum of 8GB RAM| |Hard disk|5 GB free space, solid state disk (SSD) recommended| @@ -39,7 +39,7 @@ Your environment needs the following software to run Windows Defender Applicatio |--------|-----------| |Operating system|Windows 10 Enterprise edition, version 1709 or higher
    Windows 10 Professional edition, version 1803| |Browser|Microsoft Edge and Internet Explorer| -|Management system
    (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

    **-OR-**

    [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

    **-OR-**

    [Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

    **-OR-**

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +|Management system
    (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

    **-OR-**

    [System Center Configuration Manager](https://docs.microsoft.com/sccm/)

    **-OR-**

    [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

    **-OR-**

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| ## Prepare for Windows Defender Application Guard diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index bdc18e10d3..72eb82edac 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -13,7 +13,7 @@ ms.date: 11/09/2017 # System requirements for Windows Defender Application Guard -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. @@ -25,7 +25,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio |Hardware|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

    **-AND-**

    One of the following virtualization extensions for VBS:

    VT-x (Intel)

    **-OR-**

    AMD-V| |Hardware memory|Microsoft requires a minimum of 8GB RAM| |Hard disk|5 GB free space, solid state disk (SSD) recommended| @@ -38,4 +38,4 @@ Your environment needs the following software to run Windows Defender Applicatio |--------|-----------| |Operating system|Windows 10 Enterprise edition, version 1709 or higher
    Windows 10 Professional edition, version 1803| |Browser|Microsoft Edge and Internet Explorer| -|Management system
    (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)

    **-OR-**

    [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)

    **-OR-**

    [Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)

    **-OR-**

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +|Management system
    (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

    **-OR-**

    [System Center Configuration Manager](https://docs.microsoft.com/sccm/)

    **-OR-**

    [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

    **-OR-**

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index b05ad26647..511904d283 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -8,13 +8,13 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 10/19/2017 +ms.date: 10/16/2018 --- # Application Guard testing scenarios -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. @@ -66,9 +66,9 @@ Before you can use Application Guard in enterprise mode, you must install Window ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png) -4. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. +4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting. -5. Click **Enabled**. +5. Click **Enabled** and click **OK**. ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png) @@ -104,10 +104,11 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterpise edition, version 1709 or higher - Windows 10 Professional edition, version 1803 -**To change the copy and paste options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. +#### Copy and paste options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**. + +2. Click **Enabled** and click **OK**. ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png) @@ -129,10 +130,11 @@ You have the option to change each of these settings to work with your enterpris 5. Click **OK**. -**To change the print options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. +#### Print options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Print options](images/appguard-gp-print.png) @@ -140,10 +142,11 @@ You have the option to change each of these settings to work with your enterpris 4. Click **OK**. -**To change the data persistence options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. +#### Data persistence options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png) @@ -164,10 +167,11 @@ You have the option to change each of these settings to work with your enterpris - Windows 10 Enterpise edition, version 1803 - Windows 10 Professional edition, version 1803 -**To change the download options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. +#### Download options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor Download options](images/appguard-gp-download.png) @@ -177,16 +181,57 @@ You have the option to change each of these settings to work with your enterpris 5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files. -**To change hardware acceleration options** -1. Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. +#### Hardware acceleration options -2. Click **Enabled**. +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png) -3. Contact Microsoft for further information to fully enable this setting. +3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. -4. Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. +4. Assess the visual experience and battery performance. -5. Assess the visual experience and battery performance. +**Applies to:** +- Windows 10 Enterpise edition, version 1809 +- Windows 10 Professional edition, version 1809 + +#### File trust options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting. + +2. Click **Enabled**, set **Options** to 2, and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Open a file in Edge, such an Office 365 file. + +5. Check to see that an antivirus scan completed before the file was opened. + +#### Camera and microphone options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting. + +2. Click **Enabled** and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. + +4. Open an application with video or audio capability in Edge. + +5. Check that the camera and microphone work as expected. + +#### Root certificate sharing options + +1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting. + +2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**. + + ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png) + +3. Log out and back on to your device, opening Microsoft Edge in Application Guard again. diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index de2039986d..16fa6c33df 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -8,14 +8,14 @@ ms.pagetype: security ms.localizationpriority: medium author: justinha ms.author: justinha -ms.date: 09/07/2018 +ms.date: 11/27/2018 --- # Windows Defender Application Guard overview -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. +Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md index 073a9201b3..5e93dae32c 100644 --- a/windows/security/threat-protection/windows-defender-atp/TOC.md +++ b/windows/security/threat-protection/windows-defender-atp/TOC.md @@ -4,6 +4,7 @@ ### [Attack surface reduction](overview-attack-surface-reduction.md) #### [Hardware-based isolation](overview-hardware-based-isolation.md) ##### [Application isolation](../windows-defender-application-guard/wd-app-guard-overview.md) +###### [System requirements](../windows-defender-application-guard/reqs-wd-app-guard.md) ##### [System isolation](how-hardware-based-containers-help-protect-windows.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) #### [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) @@ -16,6 +17,12 @@ #### [Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md) +#### [Incidents queue](incidents-queue.md) +##### [View and organize the Incidents queue](view-incidents-queue.md) +##### [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) +##### [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) + + #### Alerts queue ##### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) ##### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) @@ -28,7 +35,7 @@ #### Machines list ##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) -##### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags) +##### [Manage machine group and tags](machine-tags-windows-defender-advanced-threat-protection.md) ##### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine) ##### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline) ###### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events) @@ -77,72 +84,14 @@ ### [Management and APIs](management-apis.md) #### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md) -#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md) -#####Actor -###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md) -###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md) -#####Alerts -###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md) -###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md) -###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) -###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) -######Domain -####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) -####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md) -####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md) -####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) - -#####File -###### [Block file API](block-file-windows-defender-advanced-threat-protection.md) -###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md) -###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md) -###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md) -###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md) - -#####IP -###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md) -###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md) -###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md) -#####Machines -###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md) -###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) -###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md) -###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) -###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md) -###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md) -###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md) -###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md) -###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md) -###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md) -###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md) -###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md) -###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md) -###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md) - -#####User -###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) -###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md) -###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md) -###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md) - - -#### [Managed service provider provider support](mssp-support-windows-defender-advanced-threat-protection.md) +#### [Windows Defender ATP APIs](apis-intro.md) +#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md) -### [Microsoft threat protection](threat-protection-integration.md) +### [Microsoft Threat Protection](threat-protection-integration.md) #### [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) -#### [Microsoft Cloud App Security integration overview](microsoft-cloud-app-security-integration.md) +#### [Microsoft Cloud App Security in Windows overview](microsoft-cloud-app-security-integration.md) +#### [Information protection in Windows overview](information-protection-in-windows-overview.md) ### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) @@ -173,10 +122,12 @@ #### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md) ##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md) #### [Application control](../windows-defender-application-control/windows-defender-application-control.md) -#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) -###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) -###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) +#### Device control +##### [Control USB devices](../device-control/control-usb-devices-using-intune.md) +##### [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +###### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md) +####### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md) +####### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md) #### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md) ##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md) ##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md) @@ -197,7 +148,7 @@ ##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md) ##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md) #### [Configure behavioral, heuristic, and real-time protection](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md) -##### [Detect and block Potentially Unwanted Applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) +##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md) ##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) #### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md) #### [Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md) @@ -220,7 +171,7 @@ ###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md) ###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md) ###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md) -##### [Configure scanning antivirus options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) +##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md) ##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md) ##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md) ##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md) @@ -274,6 +225,160 @@ ##### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) ###### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md) + +#### [Use the Windows Defender ATP exposed APIs](use-apis.md) +##### Create your app +###### [Get access on behalf of a user](exposed-apis-create-app-nativeapp.md) +###### [Get access without a user](exposed-apis-create-app-webapp.md) +##### [Supported Windows Defender ATP APIs](exposed-apis-list.md) +###### [Advanced Hunting](run-advanced-query-api.md) + +###### [Alert](alerts-windows-defender-advanced-threat-protection-new.md) +####### [List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md) +####### [Update Alert](update-alert-windows-defender-advanced-threat-protection-new.md) +####### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related domains information](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related IPs information](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) +####### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) + +###### Domain +####### [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md) + +###### [File](files-windows-defender-advanced-threat-protection-new.md) +####### [Get file information](get-file-information-windows-defender-advanced-threat-protection-new.md) +####### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) + +###### IP +####### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection-new.md) +####### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection-new.md) + +###### [Machine](machine-windows-defender-advanced-threat-protection-new.md) +####### [List machines](get-machines-windows-defender-advanced-threat-protection-new.md) +####### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) +####### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) +####### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) +####### [Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) + +###### [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) +####### [List Machine Actions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) +####### [Get Machine Action](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) +####### [Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) +####### [Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) +####### [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) +####### [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) +####### [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) +####### [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) +####### [Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) +####### [Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md) +####### [Stop and quarantine file](stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md) + +###### [User](user-windows-defender-advanced-threat-protection-new.md) +####### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) +####### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) + +##### How to use APIs - Samples +###### Advanced Hunting API +####### [Schedule advanced Hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) +####### [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +####### [Advanced Hunting using Python](run-advanced-query-sample-python.md) +####### [Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) +###### Multiple APIs +####### [PowerShell](exposed-apis-full-sample-powershell.md) +###### [Using OData Queries](exposed-apis-odata-samples.md) + +#### [Use the Windows Defender ATP exposed APIs (deprecated)](exposed-apis-windows-defender-advanced-threat-protection.md) +##### [Supported Windows Defender ATP APIs (deprecated)](supported-apis-windows-defender-advanced-threat-protection.md) +######Actor (deprecated) +####### [Get actor information (deprecated)](get-actor-information-windows-defender-advanced-threat-protection.md) +####### [Get actor related alerts (deprecated)](get-actor-related-alerts-windows-defender-advanced-threat-protection.md) +######Alerts (deprecated) +####### [Get alerts (deprecated)](get-alerts-windows-defender-advanced-threat-protection.md) +####### [Get alert information by ID (deprecated)](get-alert-info-by-id-windows-defender-advanced-threat-protection.md) +####### [Get alert related actor information (deprecated)](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related domain information (deprecated)](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related file information (deprecated)](get-alert-related-files-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related IP information (deprecated)](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md) +####### [Get alert related machine information (deprecated)](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md) +######Domain (deprecated) +####### [Get domain related alerts (deprecated)](get-domain-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get domain related machines (deprecated)](get-domain-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get domain statistics (deprecated)](get-domain-statistics-windows-defender-advanced-threat-protection.md) +####### [Is domain seen in organization (deprecated)](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md) + +######File(deprecated) +####### [Block file (deprecated)](block-file-windows-defender-advanced-threat-protection.md) +####### [Get file information (deprecated)](get-file-information-windows-defender-advanced-threat-protection.md) +####### [Get file related alerts (deprecated)](get-file-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get file related machines (deprecated)](get-file-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get file statistics (deprecated)](get-file-statistics-windows-defender-advanced-threat-protection.md) +####### [Get FileActions collection (deprecated)](get-fileactions-collection-windows-defender-advanced-threat-protection.md) +####### [Unblock file (deprecated)](unblock-file-windows-defender-advanced-threat-protection.md) + +######IP (deprecated) +####### [Get IP related alerts (deprecated)](get-ip-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get IP related machines (deprecated)](get-ip-related-machines-windows-defender-advanced-threat-protection.md) +####### [Get IP statistics (deprecated)](get-ip-statistics-windows-defender-advanced-threat-protection.md) +####### [Is IP seen in organization (deprecated)](is-ip-seen-org-windows-defender-advanced-threat-protection.md) +######Machines (deprecated) +####### [Collect investigation package (deprecated)](collect-investigation-package-windows-defender-advanced-threat-protection.md) +####### [Find machine information by IP (deprecated)](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md) +####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineAction object (deprecated)](get-filemachineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get FileMachineActions collection (deprecated)](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machine by ID (deprecated)](get-machine-by-id-windows-defender-advanced-threat-protection.md) +####### [Get machine log on users (deprecated)](get-machine-log-on-users-windows-defender-advanced-threat-protection.md) +####### [Get machine related alerts (deprecated)](get-machine-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get MachineAction object (deprecated)](get-machineaction-object-windows-defender-advanced-threat-protection.md) +####### [Get MachineActions collection (deprecated)](get-machineactions-collection-windows-defender-advanced-threat-protection.md) +####### [Get machines (deprecated)](get-machines-windows-defender-advanced-threat-protection.md) +####### [Get package SAS URI (deprecated)](get-package-sas-uri-windows-defender-advanced-threat-protection.md) +####### [Isolate machine (deprecated)](isolate-machine-windows-defender-advanced-threat-protection.md) +####### [Release machine from isolation (deprecated)](unisolate-machine-windows-defender-advanced-threat-protection.md) +####### [Remove app restriction (deprecated)](unrestrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Request sample (deprecated)](request-sample-windows-defender-advanced-threat-protection.md) +####### [Restrict app execution (deprecated)](restrict-code-execution-windows-defender-advanced-threat-protection.md) +####### [Run antivirus scan (deprecated)](run-av-scan-windows-defender-advanced-threat-protection.md) +####### [Stop and quarantine file (deprecated)](stop-quarantine-file-windows-defender-advanced-threat-protection.md) + +######User (deprecated) +####### [Get alert related user information (deprecated)](get-alert-related-user-info-windows-defender-advanced-threat-protection.md) +####### [Get user information (deprecated)](get-user-information-windows-defender-advanced-threat-protection.md) +####### [Get user related alerts (deprecated)](get-user-related-alerts-windows-defender-advanced-threat-protection.md) +####### [Get user related machines (deprecated)](get-user-related-machines-windows-defender-advanced-threat-protection.md) + + + + + + + + + + + + + + + + + + + + + + + #### API for custom alerts ##### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) ##### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md) @@ -305,16 +410,17 @@ #### [Configure managed security service provider (MSSP) support](configure-mssp-support-windows-defender-advanced-threat-protection.md) -### Configure Microsoft threat protection integration +### Configure Microsoft Threat Protection integration #### [Configure conditional access](configure-conditional-access-windows-defender-advanced-threat-protection.md) -#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md) +#### [Configure Microsoft Cloud App Security in Windows](microsoft-cloud-app-security-config.md) +####[Configure information protection in Windows](information-protection-in-windows-config.md) -### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) +### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md) #### General ##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md) ##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) -##### [Enable and create Power BI reports using Windows Defender Security center data](powerbi-reports-windows-defender-advanced-threat-protection.md) +##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports-windows-defender-advanced-threat-protection.md) ##### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md) ##### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md) @@ -339,7 +445,7 @@ ##### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md) ##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md) -#### [Configure Windows Defender Security Center time zone settings](time-settings-windows-defender-advanced-threat-protection.md) +#### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..b9f697e5af --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,111 @@ +--- +title: Add or Remove Machine Tags API +description: Use this API to Add or Remove machine tags. +keywords: apis, graph api, supported apis, tags, machine tags +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Add or Remove Machine Tags API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- Adds or remove tag to a specific machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Manage security setting' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/tags +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Value | String | The tag name. **Required**. +Action | Enum | Add or Remove. Allowed values are: 'Add' or 'Remove'. **Required**. + + +## Response +If successful, this method returns 200 - Ok response code and the updated Machine in the response body. + + +## Example + +**Request** + +Here is an example of a request that adds machine tag. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags +Content-type: application/json +{ + "Value" : "test Tag 2", + "Action": "Add" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine/$entity", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} + +``` + +- To remove machine tag, set the Action to 'Remove' instead of 'Add' in the request body. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index 28bcbdb441..a6cd39db1b 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure advanced features in Windows Defender ATP description: Turn on advanced features such as block file in Windows Defender Advanced Threat Protection. keywords: advanced features, settings, block file, automated investigation, auto-resolve, skype, azure atp, office 365, azure information protection, intune search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,31 +11,33 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/06/2018 +ms.date: 11/16/2018 --- # Configure advanced features in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink) Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with. -Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: +Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: ## Automated investigation When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md). ## Auto-resolve remediated alerts -You can configure the automated investigations capability to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". +For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature. + +>[!TIP] +>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page. >[!NOTE] > - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine. >- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it. -If you don't want to have alerts auto-resolved, you'll need to manually turn off the feature. ## Block file This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled. @@ -81,9 +84,12 @@ When you enable this feature, you'll be able to incorporate data from Office 365 To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512). ## Microsoft Cloud App Security -Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. +Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data. -## Azure information protection +>[!NOTE] +>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. + +## Azure Information Protection Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings. diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md index fd419d2f79..046e911ac9 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Advanced hunting best practices in Windows Defender ATP description: Learn about Advanced hunting best practices such as what filters and keywords to use to effectively query data. keywords: advanced hunting, best practices, keyword, filters, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md index b594ad69f0..4e5cd8cfb4 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Advanced hunting reference in Windows Defender ATP description: Learn about Advanced hunting table reference such as column name, data type, and description keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics, column name, data type, description search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 06/01/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -36,12 +37,12 @@ To effectively build queries that span multiple tables, you need to understand t | ActionType | string | Type of activity that triggered the event | | AdditionalFields | string | Additional information about the event in JSON array format | | AlertId | string | Unique identifier for the alert | +| AppGuardContainerId | string | Identifier for the virtualized container used by Application Guard to isolate browser activity | | ComputerName | string | Fully qualified domain name (FQDN) of the machine | | ConnectedNetworks | string | Networks that the adapter is connected to. Each JSON array contains the network name, category (public, private or domain), a description, and a flag indicating if it’s connected publicly to the internet. | | DefaultGateways | string | Default gateway addresses in JSON array format | -| DnsServers | string | DNS server addresses in JSON array format | +| DnsAddresses | string | DNS server addresses in JSON array format | | EventTime | datetime | Date and time when the event was recorded | -| EventType | string | Table where the record is stored | | FileName | string | Name of the file that the recorded action was applied to | | FileOriginIp | string | IP address where the file was downloaded from | | FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file | @@ -60,7 +61,7 @@ To effectively build queries that span multiple tables, you need to understand t | InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event | | InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started | | InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event | -| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event | +| InitiatingProcessParentFileName | string | Name of the parent process that spawned the process responsible for the event | | InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event | | InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. | | InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | @@ -70,6 +71,7 @@ To effectively build queries that span multiple tables, you need to understand t | IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory | | LocalIP | string | IP address assigned to the local machine used during communication | | LocalPort | int | TCP port on the local machine used during communication | +| LocalIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | LogonId | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts. | | LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format | | LogonType | string | Type of logon session, specifically:

    - **Interactive** - User physically interacts with the machine using the local keyboard and screen

    - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients

    - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed

    - **Batch** - Session initiated by scheduled tasks

    - **Service** - Session initiated by services as they start
    @@ -78,9 +80,8 @@ To effectively build queries that span multiple tables, you need to understand t | MachineId | string | Unique identifier for the machine in the service | | MD5 | string | MD5 hash of the file that the recorded action was applied to | | NetworkAdapterName | string | Name of the network adapter | -| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). | -| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/en-us/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). | -| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format | +| NetworkAdapterStatus | string | Operational status of the network adapter. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.operationalstatus?view=netframework-4.7.2). | +| NetworkAdapterType | string | Network adapter type. For the possible values, refer to [this enumeration](https://docs.microsoft.com/dotnet/api/system.net.networkinformation.networkinterfacetype?view=netframework-4.7.2). | | OSArchitecture | string | Architecture of the operating system running on the machine | | OSBuild | string | Build version of the operating system running on the machine | | OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | @@ -93,7 +94,7 @@ To effectively build queries that span multiple tables, you need to understand t | ProcessId | int | Process ID (PID) of the newly created process | | ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. | | ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process | -| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log | +| Protocol | string | IP protocol used, whether TCP or UDP | | PublicIP | string | Public IP address used by the onboarded machine to connect to the Windows Defender ATP service. This could be the IP address of the machine itself, a NAT device, or a proxy. | | RegistryKey | string | Registry key that the recorded action was applied to | | RegistryValueData | string | Data of the registry value that the recorded action was applied to | @@ -101,15 +102,17 @@ To effectively build queries that span multiple tables, you need to understand t | RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | | RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | | RemoteIP | string | IP address that was being connected to | +| RemoteIPType | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | RemotePort | int | TCP port on the remote device that was being connected to | | RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to | | ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. | | SHA1 | string | SHA-1 of the file that the recorded action was applied to | | SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. | -| TunnelingProtocol | string | Tunneling protocol, if the interface is used for this purpose, for example:
    - Various IPv6 to IPv4 tunneling protocols (6to4, Teredo, ISATAP)
    - VPN (PPTP, SSTP)
    - SSH
    **NOTE:** This field doesn’t provide full IP tunneling specifications. | +| Table | string | Table that contains the details of the event | +| TunnelingType | string | Tunneling protocol, if the interface is used for this purpose, for example 6to4, Teredo, ISATAP, PPTP, SSTP, and SSH | >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink) ## Related topic - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) -- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md index 3eb5787182..11646a76e2 100644 --- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Query data using Advanced hunting in Windows Defender ATP description: Learn about Advanced hunting in Windows Defender ATP and how to query ATP data. keywords: advanced hunting, atp query, query atp data, intellisense, atp telemetry, events, events telemetry, azure log analytics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -58,21 +59,22 @@ To see a live example of these operators, run them as part of the **Get started* ## Access query language documentation -For more information on the query language and supported operators, see [Query Language](https://docs.loganalytics.io/docs/Language-Reference/). +For more information on the query language and supported operators, see [Query Language](https://docs.microsoft.com/azure/log-analytics/query-language/query-language). ## Use exposed tables in Advanced hunting The following tables are exposed as part of Advanced hunting: -- **AlertEvents** - Stores alerts related information -- **MachineInfo** - Stores machines properties -- **ProcessCreationEvents** - Stores process creation events -- **NetworkCommunicationEvents** - Stores network communication events -- **FileCreationEvents** - Stores file creation, modification, and rename events -- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events -- **LogonEvents** - Stores login events -- **ImageLoadEvents** - Stores load dll events -- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others. +- **AlertEvents** - Alerts on Windows Defender Security Center +- **MachineInfo** - Machine information, including OS information +- **MachineNetworkInfo** - Network properties of machines, including adapters, IP and MAC addresses, as well as connected networks and domains +- **ProcessCreationEvents** - Process creation and related events +- **NetworkCommunicationEvents** - Network connection and related events +- **FileCreationEvents** - File creation, modification, and other file system events +- **RegistryEvents** - Creation and modification of registry entries +- **LogonEvents** - Login and other authentication events +- **ImageLoadEvents** - DLL loading events +- **MiscEvents** - Multiple event types, such as process injection, creation of scheduled tasks, and LSASS access attempts These tables include data from the last 30 days. @@ -136,8 +138,8 @@ The filter selections will resolve as an additional query term and the results w -## Public Advanced Hunting query GitHub repository -Check out the [Advanced Hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. +## Public Advanced hunting query GitHub repository +Check out the [Advanced hunting repository](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). Contribute and use example queries shared by our customers. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhunting-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md index cce2d0c0a3..6ffa18b0b6 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md @@ -3,6 +3,7 @@ title: Alerts queue in Windows Defender Security Center description: View and manage the alerts surfaced in Windows Defender Security Center keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index 526668ad8c..182eacc7b7 100644 --- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: View and organize the Windows Defender ATP Alerts queue description: Learn about how the Windows Defender ATP alerts queues work, and how to sort and filter lists of alerts. keywords: alerts, queues, alerts queue, sort, order, filter, manage alerts, new, in progress, resolved, newest, time in queue, severity, time period search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # View and organize the Windows Defender Advanced Threat Protection Alerts queue **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c7cfc039ad --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,82 @@ +--- +title: Get alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Alert resource type +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Represents an alert entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get alert](get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) | Get a single [alert](alerts-windows-defender-advanced-threat-protection-new.md) object. +[List alerts](get-alerts-windows-defender-advanced-threat-protection-new.md) | [Alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection. +[Create alert](create-alert-by-reference-windows-defender-advanced-threat-protection-new.md)|[Alert](alerts-windows-defender-advanced-threat-protection-new.md)|Create an alert based on event data obtained from [Advanced Hunting](run-advanced-query-api.md). +[List related domains](get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md)|Domain collection| List URLs associated with the alert. +[List related files](get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md) | [File](files-windows-defender-advanced-threat-protection-new.md) collection | List the [file](files-windows-defender-advanced-threat-protection-new.md) entities that are associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[List related IPs](get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md) | IP collection | List IPs that are associated with the alert. +[Get related machines](get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md) | [Machine](machine-windows-defender-advanced-threat-protection-new.md) | The [machine](machine-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). +[Get related users](get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md) | [User](user-windows-defender-advanced-threat-protection-new.md) | The [user](user-windows-defender-advanced-threat-protection-new.md) that is associated with the [alert](alerts-windows-defender-advanced-threat-protection-new.md). + + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | Alert ID. +incidentId | String | The [Incident](incidents-queue.md) ID of the Alert. +assignedTo | String | Owner of the alert. +severity | Enum | Severity of the alert. Possible values are: 'UnSpecified', 'Informational', 'Low', 'Medium' and 'High'. +status | Enum | Specifies the current status of the alert. Possible values are: 'Unknown', 'New', 'InProgress' and 'Resolved'. +investigationState | Nullable Enum | The current state of the investigation. Possible values are: 'Unknown', 'Terminated', 'SuccessfullyRemediated', 'Benign Failed PartiallyRemediated', 'Running', 'PendingApproval', 'PendingResource', 'PartiallyInvestigated', 'TerminatedByUser', 'TerminatedBySystem', 'Queued', 'InnerFailure', 'PreexistingAlert', 'UnsupportedOs', 'UnsupportedAlertType', 'SuppressedAlert' . +classification | Nullable Enum | Specification of the alert. Possible values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | Nullable Enum | Specifies the determination of the alert. Possible values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other'. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General' . +detectionSource | string | Detection source. +threatFamilyName | string | Threat family. +title | string | Alert title. +description | String | Description of the threat, identified by the alert. +alertCreationTime | DateTimeOffset | The date and time (in UTC) the alert was created. +lastEventTime | DateTimeOffset | The last occurance of the event that triggered the alert on the same machine. +firstEventTime | DateTimeOffset | The first occurance of the event that triggered the alert on that machine. +resolvedTime | DateTimeOffset | The date and time in which the status of the alert was changed to 'Resolved'. +machineId | String | ID of a [machine](machine-windows-defender-advanced-threat-protection-new.md) entity that is associated with the alert. + +# JSON representation +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description" + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md index ee57104d76..421206a7f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender ATP alert API fields description: Understand how the alert API fields map to the values in Windows Defender Security Center keywords: alerts, alert fields, fields, api, fields, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/apis-intro.md b/windows/security/threat-protection/windows-defender-atp/apis-intro.md new file mode 100644 index 0000000000..304eed3564 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/apis-intro.md @@ -0,0 +1,57 @@ +--- +title: Windows Defender Advanced Threat Protection API overview +description: Learn how you can use APIs to automate workflows and innovate based on Windows Defender ATP capabilities +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Windows Defender ATP API overview + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + + +As a developer, you decide which permissions for Windows Defender ATP your app requests. When a user signs in to your app they (or, in some cases, an administrator) are given a chance to give consent to these permissions. If the user provides consent, your app is given access to the resources and APIs that it has requested. For apps that don't take a signed-in user, permissions can be pre-approved to by an administrator when the app is installed or during sign-up. + +## Delegated permissions, application permissions, and effective permissions + +Windows Defender ATP has two types of permissions: delegated permissions and application permissions. + +- **Delegated permissions**
    + Used by apps that have a signed-in user present. For these apps either the user or an administrator provides consent to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Windows Defender ATP. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent. +- **Application permissions**
    + Used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator. + +Effective permissions are permissions that your app will have when making requests to Windows Defender ATP. It is important to understand the difference between the delegated and application permissions that your app is granted and its effective permissions when making calls to Windows Defender ATP. + +- For delegated permissions, the effective permissions of your app will be the least privileged intersection of the delegated permissions the app has been granted (via consent) and the privileges of the currently signed-in user. Your app can never have more privileges than the signed-in user. Within organizations, the privileges of the signed-in user may be determined by policy or by membership in one or more administrator roles. For more information about administrator roles, see [Assigning administrator roles in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-assign-admin-roles). + + For example, assume your app has been granted the `Machine.CollectForensics` delegated permission. This permission nominally grants your app permission to collect investigation package from a machine. If the signed-in user has 'Alerts Investigation' permission, your app will be able to collect investigation package from a machine, if the machine belongs to a group the user is exposed to. However, if the signed-in user doesn't have 'Alerts Investigation' permission, your app won't be able to collect investigation package from any machine. + +- For application permissions, the effective permissions of your app will be the full level of privileges implied by the permission. For example, an app that has the `Machine.CollectForensics` application permission can collect investigation package from any machine in the organization. + + +## Related topics +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) +- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md index 68c07126d2..3128addc7a 100644 --- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Assign user access to Windows Defender Security Center description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/28/2018 --- # Assign user access to Windows Defender Security Center @@ -18,7 +19,7 @@ ms.date: 09/03/2018 **Applies to:** - Azure Active Directory - Office 365 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-assignaccess-abovefoldlink) @@ -30,7 +31,7 @@ Windows Defender ATP supports two ways to manage permissions: > [!NOTE] >If you have already assigned basic permissions, you may switch to RBAC anytime. Consider the following before making the switch: ->- Users with full access (Security Administrators) are automatically assigned the default **Global administrator** role, which also has full access. Only global administrators can manage permissions using RBAC. +>- Users with full access (users that are assigned the Global Administrator or Security Administrator directory role in Azure AD), are automatically assigned the default Windows Defender ATP administrator role, which also has full access. Additional Azure AD user groups can be assigned to the Windows Defender ATP administrator role after switching to RBAC. Only users assigned to the Windows Defender ATP administrator role can manage permissions using RBAC. >- Users that have read-only access (Security Readers) will lose access to the portal until they are assigned a role. Note that only Azure AD user groups can be assigned a role under RBAC. >- After switching to RBAC, you will not be able to switch back to using basic permissions management. diff --git a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md index 2dc0691f2a..3c9a28ceaf 100644 --- a/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/attack-simulations-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Experience Windows Defender ATP through simulated attacks description: Run the provided attack scenario simulations to experience how Windows Defender ATP can detect, investigate, and respond to breaches. keywords: wdatp, test, scenario, attack, simulation, simulated, diy, windows defender advanced threat protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: lomayor author: lomayor ms.localizationpriority: medium -ms.date: 28/02/2018 +ms.date: 11/20/2018 --- # Experience Windows Defender ATP through simulated attacks @@ -18,12 +19,17 @@ ms.date: 28/02/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-attacksimulations-abovefoldlink) +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + + You might want to experience Windows Defender ATP before you onboard more than a few machines to the service. To do this, you can run controlled attack simulations on a few test machines. After running the simulated attacks, you can review how Windows Defender ATP surfaces malicious activity and explore how it enables an efficient response. ## Before you begin diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md index a1c25550d8..3caa3bf11d 100644 --- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use Automated investigations to investigate and remediate threats description: View the list of automated investigations, its status, detection source and other details. keywords: automated, investigation, detection, source, threat types, id, tags, machines, duration, filter export search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 12/04/2018 --- # Overview of Automated investigations @@ -30,6 +31,7 @@ Entities are the starting point for Automated investigations. When an alert cont >[!NOTE] >Currently, Automated investigation only supports Windows 10, version 1803 or later. +>Some investigation playbooks, like memory investigations, require Windows 10, version 1809 or later. The alerts start by analyzing the supported entities from the alert and also runs a generic machine playbook to see if there is anything else suspicious on that machine. The outcome and details from the investigation is seen in the Automated investigation view. diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 6c995b3429..f5f0d320e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use basic permissions to access Windows Defender Security Center description: Assign read and write or read only access to the Windows Defender Advanced Threat Protection portal. keywords: assign user roles, assign read and write access, assign read only access, user, user roles, roles search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,14 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/13/2018 +ms.date: 11/09/2018 --- # Use basic permissions to access the portal **Applies to:** - Azure Active Directory -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-basicaccess-abovefoldlink) @@ -78,9 +79,10 @@ For more information see, [Manage Azure AD group and role membership](https://te 6. Select **Manage** > **Directory role**. -7. Under **Directory role**, select **Limited administrator**, then **Security Reader** or **Security Administrator**. +7. Select **Add role** and choose the role you'd like to assign, then click **Select**. - ![Image of Microsoft Azure portal](images/atp-azure-ui-user-access.png) + + ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png) ## Related topic - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md index 933ac113b2..64f4c8d321 100644 --- a/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Block file API description: Use this API to blocking files from being running in the organization. keywords: apis, graph api, supported apis, block file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Block file API +# Block file API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Prevent a file from being executed in the organization using Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 5841eedc07..4b525298cf 100644 --- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Check the health state of the sensor in Windows Defender ATP description: Check the sensor health on machines to identify which ones are misconfigured, inactive, or are not reporting sensor data. keywords: sensor, sensor health, misconfigured, inactive, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # Check sensor health state in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..bcd6861b37 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Collect investigation package API +description: Use this API to create calls related to the collecting an investigation package from a machine. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Collect investigation package API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Collect investigation package from a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' +Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/collectInvestigationPackage +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/fb9ab6be3965095a09c057be7c90f0a2/collectInvestigationPackage +Content-type: application/json +{ + "Comment": "Collect forensics due to alert 1234" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": " Collect forensics due to alert 1234", + "status": "InProgress", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md index 1d19deb5cb..74df3d6aa3 100644 --- a/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Collect investigation package API description: Use this API to create calls related to the collecting an investigation package from a machine. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Collect investigation package API +# Collect investigation package API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Collect investigation package from a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md index 295192756c..4561797028 100644 --- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Access the Windows Defender ATP Community Center description: Access the Windows Defender ATP Community Center to share experiences, engange, and learn about the product. keywords: community, community center, tech community, conversation, announcements search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 04/24/2018 # Access the Windows Defender ATP Community Center **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md index 3ff19840f0..4e24ca1381 100644 --- a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable conditional access to better protect users, devices, and data description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant. keywords: conditional access, block applications, security level, intune, search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # Enable conditional access to better protect users, devices, and data **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md index 922143b7f4..6dfed8dd52 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure HP ArcSight to pull Windows Defender ATP alerts description: Configure HP ArcSight to receive and pull alerts from Windows Defender Security Center keywords: configure hp arcsight, security information and events management tools, arcsight search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 10/16/2017 +ms.date: 12/20/2018 --- # Configure HP ArcSight to pull Windows Defender ATP alerts @@ -18,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -50,10 +51,10 @@ This section guides you in getting the necessary information to set and use the You can generate these tokens from the **SIEM integration** setup section of the portal. -## Install and configure HP ArcSight SmartConnector +## Install and configure HP ArcSight FlexConnector The following steps assume that you have completed all the required steps in [Before you begin](#before-you-begin). -1. Install the latest 32-bit Windows SmartConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightSmartConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. +1. Install the latest 32-bit Windows FlexConnector installer. You can find this in the HPE Software center. The tool is typically installed in the following default location: `C:\Program Files\ArcSightFlexConnectors\current\bin`.

    You can choose where to save the tool, for example C:\\*folder_location*\current\bin where *folder_location* represents the installation location. 2. Follow the installation wizard through the following tasks: - Introduction @@ -65,7 +66,7 @@ The following steps assume that you have completed all the required steps in [Be You can keep the default values for each of these tasks or modify the selection to suit your requirements. -3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the SmartConnector installation location, for example: +3. Open File Explorer and locate the two configuration files you saved when you enabled the SIEM integration feature. Put the two files in the FlexConnector installation location, for example: - WDATP-connector.jsonparser.properties: C:\\*folder_location*\current\user\agent\flexagent\ diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md index f48dd12b3e..0c6419eb05 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md @@ -3,6 +3,7 @@ title: description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -33,6 +34,6 @@ Topic | Description [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)|How to automatically apply exploit mitigation techniques on both operating system processes and on individual apps [Network protection](../windows-defender-exploit-guard/enable-network-protection.md)|How to prevent users from using any apps to acces dangerous domains [Controlled folder access](../windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md)|How to protect valuable data from malicious apps -[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and aopps that are typically used for by exploit-seeking malware +[Attack surface reduction](../windows-defender-exploit-guard/enable-attack-surface-reduction.md)|How to prevent actions and apps that are typically used for by exploit-seeking malware [Network firewall](../windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md)|How to protect devices and data across a network diff --git a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md index 7e52942346..2c223e0718 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-conditional-access-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure conditional access in Windows Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,7 +16,7 @@ ms.date: 09/03/2018 # Configure conditional access in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This section guides you through all the steps you need to take to properly implement conditional access. @@ -29,7 +30,7 @@ You need to make sure that all your devices are enrolled in Intune. You can use - IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment) - End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school) -- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup). +- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup). diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 1d3703c9be..94c5bfc2d5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure alert notifications in Windows Defender ATP description: Send email notifications to specified recipients to receive new alerts based on severity with Windows Defender ATP on Windows 10 Enterprise, Pro, and Education editions. keywords: email notifications, configure alert notifications, windows defender atp notifications, windows defender atp alerts, windows 10 enterprise, windows 10 education search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,15 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/16/2018 +ms.date: 10/08/2018 --- # Configure alert notifications in Windows Defender ATP **Applies to:** - - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-emailconfig-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index ba9cdde442..9b791272a5 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using Group Policy to Windows Defender ATP description: Use Group Policy to deploy the configuration package on Windows 10 machines so that they are onboarded to the service. keywords: configure machines using group policy, machine management, configure Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, group policy search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -19,7 +20,7 @@ ms.date: 04/24/2018 - Group Policy -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -86,30 +87,6 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa >[!NOTE] > If you don't set a value, the default value is to enable sample collection. -### Configure reporting frequency settings -Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. - -In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. - -> [!NOTE] -> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. - -For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. - -The configuration is set through the following registry key entry: - -``` -Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” -Name: "latency" -Value: Normal or Expedite -``` -Where:
    -Key type is a string.
    -Possible values are: -- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance -- Expedite - sets reporting frequency from the machine to Expedite mode - -The default value in case the registry key doesn’t exist is Normal. ## Offboard machines using Group Policy For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index 4d35506749..a567b25209 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using Mobile Device Management tools description: Use Mobile Device Management tools to deploy the configuration package on machines so that they are onboarded to the service. keywords: onboard machines using mdm, machine management, onboard Windows ATP machines, onboard Windows Defender Advanced Threat Protection machines, mdm search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 12/06/2018 --- # Onboard Windows 10 machines using Mobile Device Management tools @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configureendpointsmdm-abovefoldlink) @@ -33,104 +34,14 @@ For more information on enabling MDM with Microsoft Intune, see [Setup Windows D ## Onboard machines using Microsoft Intune +Follow the instructions from [Intune](https://docs.microsoft.com/intune/advanced-threat-protection). + For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThreatProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt723296(v=vs.85).aspx) and [WindowsAdvancedThreatProtection DDF file](https://msdn.microsoft.com/library/windows/hardware/mt723297(v=vs.85).aspx). -### Use the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher - -1. Login to the [Microsoft Azure portal](https://portal.azure.com). - -2. Select **Device Configuration > Profiles > Create profile**. - -3. Enter a **Name** and **Description**. - -4. For **Platform**, select **Windows 10 and later**. - -5. For **Profile type**, select **Windows Defender ATP (Windows 10 Desktop)**. - -6. Configure the settings: - - **Onboard Configuration Package**: Browse and select the **WindowsDefenderATP.onboarding** file you downloaded. This file enables a setting so devices can report to the Windows Defender ATP service. - - **Sample sharing for all files**: Allows samples to be collected, and shared with Windows Defender ATP. For example, if you see a suspicious file, you can submit it to Windows Defender ATP for deep analysis. - - **Expedite telemetry reporting frequency**: For devices that are at high risk, enable this setting so it reports telemetry to the Windows Defender ATP service more frequently. - - **Offboard Configuration Package**: If you want to remove Windows Defender ATP monitoring, you can download an offboarding package from Windows Defender Security Center, and add it. Otherwise, skip this property. - -7. Select **OK**, and **Create** to save your changes, which creates the profile. - - - -### Onboard and monitor machines using the classic Intune console - -1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/): - - a. In the navigation pane, select **Settings** > **Onboarding**. - - b. Select Windows 10 as the operating system. - - c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**. - - d. Click **Download package**, and save the .zip file. - -2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. - -3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). - - a. Select **Policy** > **Configuration Policies** > **Add**. - ![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png) - - b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
    - ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png) - - c. Type a name and description for the policy.
    - - ![Microsoft Intune Create Policy](images/atp-intune-policy-name.png) - - d. Under OMA-URI settings, select **Add...**.
    - - ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png) - - e. Type the following values then select **OK**: - - ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png) - - - **Setting name**: Type a name for the setting. - - **Setting description**: Type a description for the setting. - - **Data type**: Select **String**. - - **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding* - - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded. - - - f. Save the policy. - - ![Microsoft Intune save policy](images/atp-intune-save-policy.png) - - g. Deploy the policy. - - ![Microsoft Intune deploy policy](images/atp-intune-deploy-policy.png) - - h. Select the device group to deploy the policy to: - - ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png) - -When the policy is deployed and is propagated, machines will be shown in the **Machines list**. - -You can use the following onboarding policies to deploy configuration settings on machines. These policies can be sub-categorized to: -- Onboarding -- Health Status for onboarded machines -- Configuration for onboarded machines - -> [!div class="mx-tableFixed"] -Policy | OMA-URI | Type | Value | Description -:---|:---|:---|:---|:--- -Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding -Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running -Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP -Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID -Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1
    Default value: 1 | Windows Defender ATP Sample sharing is enabled -Configuration for onboarded machines: diagnostic data reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2
    1: Normal (default)

    2: Expedite | Windows Defender ATP diagnostic data reporting > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. > - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703. -> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. >[!TIP] @@ -154,18 +65,8 @@ For security reasons, the package used to Offboard machines will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. -3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). +3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). -Offboarding - Use the offboarding policies to remove configuration settings on machines. These policies can be sub-categorized to: -- Offboarding -- Health Status for offboarded machines -- Configuration for offboarded machines - -Policy | OMA-URI | Type | Value | Description -:---|:---|:---|:---|:--- -Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding - Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running -Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP > [!NOTE] > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md index 71b333c546..3702b187d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md @@ -3,22 +3,23 @@ title: Onboard non-Windows machines to the Windows Defender ATP service description: Configure non-Winodws machines so that they can send sensor data to the Windows Defender ATP service. keywords: onboard non-Windows machines, macos, linux, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/03/2018 --- # Onboard non-Windows machines **Applies to:** -- macOS X +- macOS - Linux -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-nonwindows-abovefoldlink) @@ -26,7 +27,7 @@ ms.date: 04/24/2018 Windows Defender ATP provides a centralized security operations experience for Windows as well as non-Windows platforms. You'll be able to see alerts from various supported operating systems (OS) in Windows Defender Security Center and better protect your organization's network. This experience leverages on a third-party security products’ sensor data. -You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. +You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. You'll need to take the following steps to onboard non-Windows machines: 1. Turn on third-party integration diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index d0bf0a6cbd..707a5887a8 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using System Center Configuration Manager description: Use System Center Configuration Manager to deploy the configuration package on machines so that they are onboarded to the service. keywords: onboard machines using sccm, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines, sccm search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - System Center 2012 Configuration Manager or later versions @@ -89,30 +90,6 @@ The default value in case the registry key doesn’t exist is 1. For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). -### Configure reporting frequency settings -Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. - -In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. - -> [!NOTE] -> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. - -For each machine, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. - -The configuration is set through the following registry key entry: - -``` -Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” -Name: "latency" -Value: Normal or Expedite -``` -Where:
    -Key type is a string.
    -Possible values are: -- Normal - sets reporting frequency from the machine to Normal mode for the optimal speed and performance balance -- Expedite - sets reporting frequency from the machine to Expedite mode - -The default value in case the registry key doesn’t exist is Normal. ## Offboard machines using System Center Configuration Manager diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index ea54c42092..69bb28ccaa 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines using a local script description: Use a local script to deploy the configuration package on machines so that they are onboarded to the service. keywords: configure machines using a local script, machine management, configure Windows ATP machines, configure Windows Defender Advanced Threat Protection machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md index 7f15b0fc5c..caa1e6b2b4 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard non-persistent virtual desktop infrastructure (VDI) machines description: Deploy the configuration package on virtual desktop infrastructure (VDI) machine so that they are onboarded to Windows Defender ATP the service. keywords: configure virtual desktop infrastructure (VDI) machine, vdi, machine management, configure Windows ATP endpoints, configure Windows Defender Advanced Threat Protection endpoints search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md index 8b93f17477..8371836083 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard Windows 10 machines on Windows Defender ATP description: Onboard Windows 10 machines so that they can send sensor data to the Windows Defender ATP sensor keywords: Onboard Windows 10 machines, group policy, system center configuration manager, mobile device management, local script, gp, sccm, mdm, intune search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 07/12/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md index 82a78124e7..cbff3e3945 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure managed security service provider support description: Take the necessary steps to configure the MSSP integration with Windows Defender ATP keywords: managed security service provider, mssp, configure, integration search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,11 +17,11 @@ ms.date: 09/03/2018 # Configure managed security service provider integration **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) -[!include[Prereleaseinformation](prerelease.md)] +[!include[Prerelease information](prerelease.md)] You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration. @@ -58,7 +59,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs. >[!NOTE] > These set of steps are directed towards the MSSP customer.
    -> Access to the portal can can only be done by the MSSP customer. +> Access to the portal can only be done by the MSSP customer. As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. @@ -269,7 +270,7 @@ You'll need to have **Manage portal system settings** permission to whitelist th You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md). -- In the ArcSight configuration file / Splunk Authentication Properties file you will have to write your application key manually by settings the secret value. +- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value. - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means). ## Fetch alerts from MSSP customer's tenant using APIs diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 4456ba11e8..2609656756 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure machine proxy and Internet connection settings description: Configure the Windows Defender ATP proxy and internet settings to enable communication with the cloud service. keywords: configure, proxy, internet, internet connectivity, settings, proxy settings, netsh, winhttp, proxy server search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,14 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/12/2018 +ms.date: 11/14/2018 --- # Configure machine proxy and Internet connectivity settings **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -97,8 +98,28 @@ United Kingdom | ```uk.vortex-win.data.microsoft.com```
    ```uk-v20.events.dat United States | ```us.vortex-win.data.microsoft.com```
    ```us-v20.events.data.microsoft.com```
    ```winatp-gw-cus.microsoft.com```
    ```winatp-gw-eus.microsoft.com``` + If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. +## Windows Defender ATP service backend IP range +If you network devices don't support the URLs white-listed in the prior section, you can use the following information. + +Windows Defender ATP is built on Azure cloud, deployed in the following regions: + +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ +- \+\ + + +You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). + +>[!NOTE] +> As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. + ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index d31a895006..54976ad8b9 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -3,13 +3,14 @@ title: Onboard servers to the Windows Defender ATP service description: Onboard servers so that they can send sensor data to the Windows Defender ATP sensor. keywords: onboard server, server, 2012r2, 2016, 2019, server onboarding, machine management, configure Windows ATP servers, onboard Windows Defender Advanced Threat Protection servers search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 09/06/2018 +ms.date: 12/14/2018 --- # Onboard servers to the Windows Defender ATP service @@ -20,7 +21,7 @@ ms.date: 09/06/2018 - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] @@ -35,11 +36,18 @@ The service supports the onboarding of the following servers: - Windows Server, version 1803 - Windows Server 2019 + +For a practical guidance on what needs to be in place for licensing and infrastructure, see [Protecting Windows Servers with Windows Defender ATP](https://techcommunity.microsoft.com/t5/What-s-New/Protecting-Windows-Server-with-Windows-Defender-ATP/m-p/267114#M128). + ## Windows Server 2012 R2 and Windows Server 2016 To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to: - For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. + + >[!NOTE] + >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2. + - Turn on server monitoring from Windows Defender Security Center. - If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through [Multi Homing support](https://blogs.technet.microsoft.com/msoms/2016/05/26/oms-log-analytics-agent-multi-homing-support/). Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. @@ -53,7 +61,7 @@ To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender AT Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting @@ -71,18 +79,18 @@ The following steps are required to enable this integration: 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603). 2. Using the Workspace ID and Workspace key provided in the previous procedure, choose any of the following installation methods to install the agent on the server: - - [Manually install the agent using setup](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
    + - [Manually install the agent using setup](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-setup)
    On the **Agent Setup Options** page, choose **Connect the agent to Azure Log Analytics (OMS)**. - - [Install the agent using the command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). + - [Install the agent using the command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#add-a-workspace-using-a-script). -3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). +3. You'll need to configure proxy settings for the Microsoft Monitoring Agent. For more information, see [Configure proxy settings](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#configure-proxy-settings). Once completed, you should see onboarded servers in the portal within an hour. ### Configure server proxy and Internet connectivity settings -- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-oms-gateway). +- Each Windows server must be able to connect to the Internet using HTTPS. This connection can be direct, using a proxy, or through the [OMS Gateway](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-gateway). - If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service: Agent Resource | Ports @@ -101,7 +109,15 @@ Agent Resource | Ports | winatp-gw-aue.microsoft.com |443 | ## Windows Server, version 1803 and Windows Server 2019 -To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. +To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. + +Supported tools include: +- Local script +- Group Policy +- System Center Configuration Manager 2012 / 2012 R2 1511 / 1602 +- VDI onboarding scripts for non-persistent machines + + For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). @@ -130,8 +146,11 @@ To onboard Windows Server, version 1803 or Windows Server 2019, use the same met ## Integration with Azure Security Center Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +>[!NOTE] +>You'll need to have the appropriate license to enable this feature. + The following capabilities are included in this integration: -- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/en-us/azure/security-center/security-center-onboarding). +- Automated onboarding - Windows Defender ATP sensor is automatically enabled on Windows Servers that are onboarded to Azure Security Center. For more information on Azure Security Center onboarding, see [Onboarding to Azure Security Center Standard for enhanced security](https://docs.microsoft.com/azure/security-center/security-center-onboarding). >[!NOTE] > Automated onboarding is only applicable for Windows Server 2012 R2 and Windows Server 2016. @@ -157,7 +176,7 @@ For other server versions, you have two options to offboard servers from the ser ### Uninstall servers by uinstalling the MMA agent To offboard the server, you can uninstall the MMA agent from the server or detach it from reporting to your Windows Defender ATP workspace. After offboarding the agent, the server will no longer send sensor data to Windows Defender ATP. -For more information, see [To disable an agent](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). +For more information, see [To disable an agent](https://docs.microsoft.com/azure/log-analytics/log-analytics-windows-agents#to-disable-an-agent). ### Remove the Windows Defender ATP workspace configuration To offboard the server, you can use either of the following methods: diff --git a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md index 5c36c805e4..e2c82a3cc0 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Pull alerts to your SIEM tools from Windows Defender Advanced Threat Prot description: Learn how to use REST API and configure supported security information and events management tools to receive and pull alerts. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-configuresiem-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md index 03f3013863..09b8cf9087 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure Splunk to pull Windows Defender ATP alerts description: Configure Splunk to receive and pull alerts from Windows Defender Security Center. keywords: configure splunk, security information and events management tools, splunk search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..b207613837 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/create-alert-by-reference-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,93 @@ +--- +title: Create alert from event API +description: Creates an alert using event details +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Create alert from event API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Enables using event data, as obtained from the [Advanced Hunting](run-advanced-query-api.md) for creating a new alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + +## Request body +In the request body, supply the following values (all are required): + +Property | Type | Description +:---|:---|:--- +machineId | String | Id of the machine on which the event was identified. **Required**. +severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. +title | String | Title for the alert. **Required**. +description | String | Description of the alert. **Required**. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. +reportId | String | The reportId, as obtained from the advanced query. **Required**. +category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. + + +## Response +If successful, this method returns 200 OK, and a new [alert](alerts-windows-defender-advanced-threat-protection-new.md) object in the response body. If event with the specified properties (_reportId_, _eventTime_ and _machineId_) was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/alerts/CreateAlertByReference +Content-Length: application/json + +{ + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "severity": "Low", + "title": "test alert", + "description": "test alert", + "recommendedAction": "test alert", + "eventTime": "2018-08-03T16:45:21.7115183Z", + "reportId": "20776", + "category": "None" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md index e9d21b6f95..60545d5706 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md @@ -3,6 +3,7 @@ title: Create custom detection rules in Windows Defender ATP description: Learn how to create custom detections rules based on advanced hunting queries keywords: create custom detections, detections, advanced hunting, hunt, detect, query search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,15 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Create custom detections rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] 1. In the navigation pane, select **Advanced hunting**. diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md index 229300b01e..67591e6f98 100644 --- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create custom alerts using the threat intelligence API description: Create your custom alert definitions and indicators of compromise in Windows Defender ATP using the available APIs in Windows Enterprise, Education, and Pro editions. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -58,7 +59,7 @@ Each tenant has a defined quota that limits the number of possible alert definit ## Request an access token from the token issuing endpoint Windows Defender ATP Threat Intelligence API uses OAuth 2.0. In the context of Windows Defender ATP, the alert definitions are a protected resource. To issue tokens for ad-hoc, non-automatic operations you can use the **Settings** page and click the **Generate Token** button. However, if you’d like to create an automated client, you need to use the “Client Credentials Grant” flow. For more information, see the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749#section-4.4). -For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow). +For more information about the authorization flow, see [OAuth 2.0 authorization flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-protocols-oauth-code#oauth-20-authorization-flow). Make an HTTP POST request to the token issuing endpoint with the following parameters, replacing ``, ``, and `` with your app's client ID, client secret and authorization server URL. @@ -186,7 +187,6 @@ The API currently supports the following IOC types: - Sha1 - Sha256 - Md5 -- FileName - IpAddress - DomainName diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md index b98dc92230..0232707da6 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Update data retention settings for Windows Defender Advanced Threat Prote description: Update data retention settings by selecting between 30 days to 180 days. keywords: data, storage, settings, retention, update search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1efa791236..c2a6e3f9c3 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/07/2018 # Windows Defender ATP data storage and privacy **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -43,7 +44,7 @@ Microsoft does not use your data for advertising or for any other purpose other The Windows Defender ATP service utilizes state of the art data protection technologies which are based on Microsoft Azure infrastructure. -There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Windows Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/en-us/azure/security/security-azure-encryption-overview). +There are various aspects relevant to data protection that our service takes care of. Encryption is one of the most critical and it includes data encryption at rest, encryption in flight, and key management with Key Vault. For more information on other technologies used by the Windows Defender ATP service, see [Azure encryption overview](https://docs.microsoft.com/azure/security/security-azure-encryption-overview). In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wikipedia.org/wiki/Advanced_Encryption_Standard) at the minimum. diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md index 80d84f08c0..420fba6b8f 100644 --- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Antivirus compatibility with Windows Defender ATP description: Learn about how Windows Defender works with Windows Defender ATP and how it functions when a third-party antimalware client is used. keywords: windows defender compatibility, defender, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -19,7 +20,7 @@ ms.date: 04/24/2018 - Windows Defender -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..b0d3efb765 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,77 @@ +--- +title: Delete Ti Indicator. +description: Deletes Ti Indicator entity by ID. +keywords: apis, public api, supported apis, delete, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Delete TI Indicator API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a TI Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +Delete https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If TI Indicator exist and deleted successfully - 204 OK without content. +If TI Indicator with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +``` +DELETE https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 204 NO CONTENT + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/deprecate.md b/windows/security/threat-protection/windows-defender-atp/deprecate.md new file mode 100644 index 0000000000..fe73a4d416 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/deprecate.md @@ -0,0 +1,7 @@ +--- +ms.date: 10/17/2018 +--- +>[!WARNING] + + +> This page documents a feature that will soon be deprecated. For the updated and supported version, see [Use the Windows Defender ATP APIs](use-apis.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index 4896e983e7..f13739ad9c 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable the custom threat intelligence API in Windows Defender ATP description: Learn how to setup the custom threat intelligence application in Windows Defender ATP to create custom threat intelligence (TI). keywords: enable custom threat intelligence application, custom ti application, application name, client id, authorization url, resource, client secret, access tokens search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md index 1afddb33b9..e88f1959d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable Secure Score in Windows Defender ATP description: Set the baselines for calculating the score of Windows Defender security controls on the Secure Score dashboard. keywords: enable secure score, baseline, calculation, analytics, score, secure score dashboard, dashboard search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 123c537dc8..9a87b74ae6 100644 --- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Enable SIEM integration in Windows Defender ATP description: Enable SIEM integration to receive alerts in your security information and event management (SIEM) solution. keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,31 +11,38 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 12/10/2018 --- # Enable SIEM integration in Windows Defender ATP **Applies to:** - - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-enablesiem-abovefoldlink) Enable security information and event management (SIEM) integration so you can pull alerts from Windows Defender Security Center using your SIEM solution or by connecting directly to the alerts REST API. +## Prerequisites +- The user who activates the setting must have permissions to create an app in Azure Active Directory (AAD). This is typically someone with a **Global administrator** role. +- During the initial activation, a pop-up screen is displayed for credentials to be entered. Make sure that you allow pop-ups for this site. + +## Enabling SIEM integration 1. In the navigation pane, select **Settings** > **SIEM**. - ![Image of SIEM integration from Settings menu](images/atp-siem-integration.png) + ![Image of SIEM integration from Settings menu](images/enable_siem.png) + + >[!TIP] + >If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. - > [!WARNING] - >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
    - For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + > [!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
    + For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). + + ![Image of SIEM integration from Settings menu](images/siem_details.png) 3. Choose the SIEM type you use in your organization. @@ -54,7 +62,8 @@ Enable security information and event management (SIEM) integration so you can p You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center. - +## Integrate Windows Defender ATP with IBM QRadar +You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1). ## Related topics - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md index 760908772b..3422e6cbff 100644 --- a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md @@ -3,6 +3,7 @@ title: Evaluate Windows Defender Advanced Threat Protection description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,7 +15,7 @@ ms.date: 08/10/2018 --- # Evaluate Windows Defender ATP -Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. +[Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. You can evaluate Windows Defender Advanced Threat Protection in your organization by [starting your free trial](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp). diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md index 03354b9f6a..7d43f2c2a2 100644 --- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Review events and errors using Event Viewer description: Get descriptions and further troubleshooting steps (if required) for all events reported by the Windows Defender ATP service. keywords: troubleshoot, event viewer, log summary, failure code, failed, Windows Defender Advanced Threat Protection service, cannot start, broken, can't start search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -20,7 +21,7 @@ ms.date: 05/21/2018 - Event Viewer -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md index 68a5bbfdf5..8aeb2539ee 100644 --- a/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Experiment with custom threat intelligence alerts description: Use this end-to-end guide to start using the Windows Defender ATP threat intelligence API. keywords: alert definitions, indicators of compromise, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 11/09/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md new file mode 100644 index 0000000000..679dc47866 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-nativeapp.md @@ -0,0 +1,175 @@ +--- +title: Use Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Use Windows Defender ATP APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + + +[!include[Prerelease information](prerelease.md)] + + +This page describe how to create an application to get programmatical access to Windows Defender ATP on behalf of a user. + +If you need programmatical access Windows Defender ATP without a user, refer to [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md). + +If you are not sure which access you need, read the [Introduction page](apis-intro.md). + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +>[!NOTE] +> When accessing Windows Defender ATP API on behalf of a user, you will need the correct app permission and user permission. +> If you are not familiar with user permissions on Windows Defender ATP, see [Manage portal access using role-based access control](rbac-windows-defender-advanced-threat-protection.md). + +>[!TIP] +> If you have the permission to perform an action in the portal, you have the permission to perform the action in the API. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/nativeapp-create.png) + + - **Name:** -Your app name- + - **Application type:** Native + - **Redirect URI:** `https://127.0.0.1` + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/nativeapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > check **Read alerts** and **Collect forensics** > **Select**. + + >[!IMPORTANT] + >You need to select the relevant permissions. 'Read alerts' and 'Collect forensics' are only an example. + + ![Image of select permissions](images/nativeapp-select-permissions.png) + + For instance, + + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + + To determine which permission you need, look at the **Permissions** section in the API you are interested to call. + + +7. Click **Done** + + ![Image of add permissions completion](images/nativeapp-add-permissions-end.png) + +8. Click **Grant permissions** + + In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button. + + If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +9. Write down your application ID. + + ![Image of app ID](images/nativeapp-get-appid.png) + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +The code was below tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (pay attention to the comments in the code) + + ``` + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; + + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + + string username = "SecurityAdmin123@microsoft.com"; // Paste your username here + string password = GetPasswordFromSafePlace(); // Paste your own password here for a test, and then store it in a safe place! + + UserPasswordCredential userCreds = new UserPasswordCredential(username, password); + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}"); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, appId, userCreds).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +## Validate the token + +Sanity check to make sure you got a correct token: +- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Validate you get a 'scp' claim with the desired app permissions +- In the screenshot below you can see a decoded token acquired from the app in the tutorial: + +![Image of token validation](images/nativeapp-decoded-token.png) + +## Use the token to access Windows Defender ATP API + +- Choose the API you want to use - [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Set the Authorization header in the HTTP request you send to "Bearer {token}" (Bearer is the Authorization scheme) +- The Expiration time of the token is 1 hour (you can send more then one request with the same token) + +- Example of sending a request to get a list of alerts **using C#** + ``` + var httpClient = new HttpClient(); + + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + + var response = await httpClient.SendAsync(request).ConfigureAwait(false); + + // Do something useful with the response + ``` + +## Related topics +- [Windows Defender ATP APIs](apis-intro.md) +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md new file mode 100644 index 0000000000..ca0153916b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-create-app-webapp.md @@ -0,0 +1,220 @@ +--- +title: Create an app to access Windows Defender ATP without a user +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Create an app to access Windows Defender ATP without a user + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) + +[!include[Prerelease information](prerelease.md)] + +This page describes how to create an application to get programmatical access to Windows Defender ATP without a user. + +If you need programmatical access Windows Defender ATP on behalf of a user, see [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) + +If you are not sure which access you need, see [Use Windows Defender ATP APIs](apis-intro.md). + +Windows Defender ATP exposes much of its data and actions through a set of programmatic APIs. Those APIs will help you automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). + +In general, you’ll need to take the following steps to use the APIs: +- Create an app +- Get an access token +- Use the token to access Windows Defender ATP API + +This page explains how to create an app, get an access token to Windows Defender ATP and validate the token includes the required permission. + +## Create an app + +1. Log on to [Azure](https://portal.azure.com). + +2. Navigate to **Azure Active Directory** > **App registrations** > **New application registration**. + + ![Image of Microsoft Azure and navigation to application registration](images/atp-azure-new-app.png) + +3. In the Create window, enter the following information then click **Create**. + + ![Image of Create application window](images/webapp-create.png) + + - **Name:** WdatpEcosystemPartner + - **Application type:** Web app / API + - **Redirect URI:** `https://WdatpEcosystemPartner.com` (The URL where user can sign in and use your app. You can change this URL later.) + + +4. Click **Settings** > **Required permissions** > **Add**. + + ![Image of new app in Azure](images/webapp-add-permission.png) + +5. Click **Select an API** > **WindowsDefenderATP**, then click **Select**. + + **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + + ![Image of API access and API selection](images/webapp-add-permission-2.png) + +6. Click **Select permissions** > **Run advanced queries** > **Select**. + + **Important note**: You need to select the relevant permission. 'Run advanced queries' is only an example! + + ![Image of select permissions](images/webapp-select-permission.png) + + For instance, + + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine-windows-defender-advanced-threat-protection-new.md), select 'Isolate machine' permission + + To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + +7. Click **Done** + + ![Image of add permissions completion](images/webapp-add-permission-end.png) + +8. Click **Grant permissions** + + In order to add the new selected permissions to the app, the Admin's tenant must press on the **Grant permissions** button. + + If in the future you will want to add more permission to the app, you will need to press on the **Grant permissions** button again so the changes will take effect. + + ![Image of Grant permissions](images/webapp-grant-permissions.png) + +9. Click **Keys** and type a key name and click **Save**. + + **Important**: After you save, **copy the key value**. You won't be able to retrieve after you leave! + + ![Image of create app key](images/webapp-create-key.png) + +10. Write down your application ID. + + ![Image of app ID](images/webapp-get-appid.png) + +11. Set your application to be multi-tenanted + + This is **required** for 3rd party apps (for example, if you create an application that is intended to run in multiple customers tenant). + + This is **not required** if you create a service that you want to run in your tenant only (for example, if you create an application for your own usage that will only interact with your own data)​ + + Click **Properties** > **Yes** > **Save**. + + ![Image of multi tenant](images/webapp-edit-multitenant.png) + + +## Application consent +You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer. + +You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory. + +Consent link is of the form: + +``` +https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true​ +``` + +where 00000000-0000-0000-0000-000000000000​ should be replaced with your Azure application ID + + +## Get an access token + +For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds) + +### Using C# + +>The below code was tested with nuget Microsoft.IdentityModel.Clients.ActiveDirectory 3.19.8 + +- Create a new Console Application +- Install Nuget [Microsoft.IdentityModel.Clients.ActiveDirectory](https://www.nuget.org/packages/Microsoft.IdentityModel.Clients.ActiveDirectory/) +- Add the below using + + ``` + using Microsoft.IdentityModel.Clients.ActiveDirectory; + ``` + +- Copy/Paste the below code in your application (do not forget to update the 3 variables: ```tenantId, appId, appSecret```) + + ``` + string tenantId = "00000000-0000-0000-0000-000000000000"; // Paste your own tenant ID here + string appId = "11111111-1111-1111-1111-111111111111"; // Paste your own app ID here + string appSecret = "22222222-2222-2222-2222-222222222222"; // Paste your own app secret here for a test, and then store it in a safe place! + + const string authority = "https://login.windows.net"; + const string wdatpResourceId = "https://api.securitycenter.windows.com"; + + AuthenticationContext auth = new AuthenticationContext($"{authority}/{tenantId}/"); + ClientCredential clientCredential = new ClientCredential(appId, appSecret); + AuthenticationResult authenticationResult = auth.AcquireTokenAsync(wdatpResourceId, clientCredential).GetAwaiter().GetResult(); + string token = authenticationResult.AccessToken; + ``` + +### Using PowerShell + +Refer to [Get token using PowerShell](run-advanced-query-sample-powershell.md#get-token) + +### Using Python + +Refer to [Get token using Python](run-advanced-query-sample-python.md#get-token) + +### Using Curl + +> [!NOTE] +> The below procedure supposed Curl for Windows is already installed on your computer + +- Open a command window +- ​Set CLIENT_ID to your Azure application ID +- Set CLIENT_SECRET to your Azure application secret +- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application +- Run the below command: + +``` +curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice​/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID​%/oauth2/v2.0/token" -k​ +``` + +You will get an answer of the form: + +``` +{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn aWReH7P0s0tjTBX8wGWqJUdDA"} +``` + +## Validate the token + +Sanity check to make sure you got a correct token: +- Copy/paste into [JWT](https://jwt.ms) the token you get in the previous step in order to decode it +- Validate you get a 'roles' claim with the desired permissions +- In the screenshot below you can see a decoded token acquired from an app with permissions to all of Wdatp's roles: + +![Image of token validation](images/webapp-decoded-token.png) + +## Use the token to access Windows Defender ATP API + +- Choose the API you want to use, for more information, see [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- Set the Authorization header in the Http request you send to "Bearer {token}" (Bearer is the Authorization scheme) +- The Expiration time of the token is 1 hour (you can send more then one request with the same token) + +- Example of sending a request to get a list of alerts **using C#** + ``` + var httpClient = new HttpClient(); + + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + + var response = await httpClient.SendAsync(request).ConfigureAwait(false); + + // Do something useful with the response + ``` + +## Related topics +- [Windows Defender ATP APIs](apis-intro.md) +- [Supported Windows Defender ATP APIs](exposed-apis-list.md) +- [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md new file mode 100644 index 0000000000..5c554d4040 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-full-sample-powershell.md @@ -0,0 +1,118 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/24/2018 +--- + +# Windows Defender ATP APIs using PowerShell +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Full scenario using multiple APIs from Windows Defender ATP. + +In this section we share PowerShell samples to + - Retrieve a token + - Use token to retrieve the latest alerts in Windows Defender ATP + - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. + +>**Prerequisite**: You first need to [create an app](apis-intro.md). + +## Preparation Instructions + +- Open a PowerShell window. +- If your policy does not allow you to run the PowerShell commands, you can run the below command: +``` +Set-ExecutionPolicy -ExecutionPolicy Bypass +``` + +>For more details, refer to [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) + +## Get token + +- Run the below + +> - $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +> - $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +> - $appSecret: Secret of your AAD app +> - $suspiciousUrl: The URL + + +``` +$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here +$suspiciousUrl = 'www.suspiciousUrl.com' # Paste your own URL here + +$resourceAppIdUri = 'https://securitycenter.onmicrosoft.com/windowsatpservice' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$authBody = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$authResponse = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $authBody -ErrorAction Stop +$aadToken = $authResponse.access_token + + +#Get latest alert +$alertUrl = "https://api.securitycenter.windows.com/api/alerts?`$top=10" +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $aadToken" +} +$alertResponse = Invoke-WebRequest -Method Get -Uri $alertUrl -Headers $headers -ErrorAction Stop +$alerts = ($alertResponse | ConvertFrom-Json).value + +$machinesToInvestigate = New-Object System.Collections.ArrayList + +Foreach($alert in $alerts) +{ + #echo $alert.id $alert.machineId $alert.severity $alert.status + + $isSevereAlert = $alert.severity -in 'Medium', 'High' + $isOpenAlert = $alert.status -in 'InProgress', 'New' + if($isOpenAlert -and $isSevereAlert) + { + if (-not $machinesToInvestigate.Contains($alert.machineId)) + { + $machinesToInvestigate.Add($alert.machineId) > $null + } + } +} + +$commaSeparatedMachines = '"{0}"' -f ($machinesToInvestigate -join '","') + +$query = "NetworkCommunicationEvents +| where MachineId in ($commaSeparatedMachines) +| where RemoteUrl == `"$suspiciousUrl`" +| summarize ConnectionsCount = count() by MachineId" + +$queryUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run" + +$queryBody = ConvertTo-Json -InputObject @{ 'Query' = $query } +$queryResponse = Invoke-WebRequest -Method Post -Uri $queryUrl -Headers $headers -Body $queryBody -ErrorAction Stop +$response = ($queryResponse | ConvertFrom-Json).Results +$response + +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using Python](run-advanced-query-sample-python.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md new file mode 100644 index 0000000000..101b345a77 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-list.md @@ -0,0 +1,58 @@ +--- +title: Supported Windows Defender Advanced Threat Protection query APIs +description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. +keywords: apis, supported apis, actor, alerts, machine, user, domain, ip, file, advanced queries, advanced hunting +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Supported Windows Defender ATP query APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) + +## End Point URI and Versioning + +### End Point URI: + +> The service base URI is: https://api.securitycenter.windows.com + +> The queries based OData have the '/api' prefix. For example, to get Alerts you can send GET request to https://api.securitycenter.windows.com/api/alerts + +### Versioning: + +> The API supports versioning. + +> The current version is **V1.0**. + +> To use a specific version, use this format: https://api.securitycenter.windows.com/api/{Version}. For example: https://api.securitycenter.windows.com/api/v1.0/alerts + +> If you don't specify any version (e.g., https://api.securitycenter.windows.com/api/alerts ) you will get to the latest version. + + +Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. + +## In this section +Topic | Description +:---|:--- +Advanced Hunting | Run queries from API. +Alerts | Run API calls such as get alerts, alert information by ID, alert related actor information, alert related IP information, and alert related machine information. +Domain |Run API calls such as get domain related machines, domain related machines, statistics, and check if a domain is seen in your organization. +File | Run API calls such as get file information, file related alerts, file related machines, and file statistics. +IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. +Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. +User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md new file mode 100644 index 0000000000..2c87e56309 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-odata-samples.md @@ -0,0 +1,278 @@ +--- +title: OData queries with Windows Defender ATP +description: OData queries with Windows Defender ATP +keywords: apis, supported apis, odata, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 11/15/2018 +--- + +# OData queries with Windows Defender ATP +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +- If you are not familiar with OData queries, see: [OData V4 queries](https://www.odata.org/documentation/) + +- Not all properties are filterable. + +### Properties that supports $filter: + +- [Alert](alerts-windows-defender-advanced-threat-protection-new.md): Id, IncidentId, AlertCreationTime, Status, Severity and Category. +- [Machine](machine-windows-defender-advanced-threat-protection-new.md): Id, ComputerDnsName, LastSeen, LastIpAddress, HealthStatus, OsPlatform, RiskScore, MachineTags and RbacGroupId. +- [MachineAction](machineaction-windows-defender-advanced-threat-protection-new.md): Id, Status, MachineId, Type, Requestor and CreationDateTimeUtc. + +### Example 1 + +- Get all the machines with the tag 'ExampleTag' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 2 + +- Get all the alerts that created after 2018-10-20 00:00:00 + +``` +HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime gt 2018-11-22T00:00:00Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + . + . + . + ] +} +``` + +### Example 3 + +- Get all the machines with 'High' 'RiskScore' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore eq 'High' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 4 + +- Get top 100 machines with 'HealthStatus' not equals to 'Active' + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus ne 'Active'&$top=100 +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 5 + +- Get all the machines that last seen after 2018-10-20 + +``` +HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "High", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2", "ExampleTag" ] + }, + . + . + . + ] +} +``` + +### Example 6 + +- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Windows Defender ATP + +``` +HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@WcdTestPrd.onmicrosoft.com' and type eq 'RunAntiVirusScan' +``` + +**Response:** + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "5c3e3322-d993-1234-1111-dfb136ebc8c5", + "type": "RunAntiVirusScan", + "requestor": "Analyst@examples.onmicrosoft.com", + "requestorComment": "1533", + "status": "Succeeded", + "machineId": "123321c10e44a82877af76b1d0161a17843f688a", + "creationDateTimeUtc": "2018-11-12T13:33:24.5755657Z", + "lastUpdateDateTimeUtc": "2018-11-12T13:34:32.0319826Z", + "relatedFileInfo": null + }, + . + . + . + ] +} +``` + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) diff --git a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md index 860ff1eee2..67ec69e0e1 100644 --- a/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use the Windows Defender Advanced Threat Protection exposed APIs description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,18 +14,18 @@ ms.localizationpriority: medium ms.date: 10/23/2017 --- -# Use the Windows Defender ATP exposed APIs +# Use the Windows Defender ATP exposed APIs (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-exposedapis-abovefoldlink) -Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). +Windows Defender ATP exposes much of the available data and actions using a set of programmatic APIs that are part of the Microsoft Intelligence Security Graph. Those APIs will enable you to automate workflows and innovate based on Windows Defender ATP capabilities. The API access requires OAuth2.0 authentication. For more information, see [OAuth 2.0 Authorization Code Flow](https://docs.microsoft.com/azure/active-directory/develop/active-directory-v2-protocols-oauth-code). In general, you’ll need to take the following steps to use the APIs: - Create an app diff --git a/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..1b6c340e45 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/files-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,49 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# File resource type + +[!include[Prerelease information](prerelease.md)] + +Represent a file entity in WDATP. + +# Methods +Method|Return Type |Description +:---|:---|:--- +[Get file](get-file-information-windows-defender-advanced-threat-protection-new.md) | [file](files-windows-defender-advanced-threat-protection-new.md) | Get a single file +[List file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that are associated with the file. +[List file related machines](get-file-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Get the [machine](machine-windows-defender-advanced-threat-protection-new.md) entities associated with the alert. +[file statistics](get-file-statistics-windows-defender-advanced-threat-protection-new.md) | Statistics summary | Retrieves the prevalence for the given file. + + +# Properties +Property | Type | Description +:---|:---|:--- +sha1 | String | Sha1 hash of the file content +sha256 | String | Sha256 hash of the file content +md5 | String | md5 hash of the file content +globalPrevalence | Integer | File prevalence across organization +globalFirstObserved | DateTimeOffset | First time the file was observed. +globalLastObserved | DateTimeOffset | Last time the file was observed. +size | Integer | Size of the file. +fileType | String | Type of the file. +isPeFile | Boolean | true if the file is portable executable (e.g. "DLL", "EXE", etc.) +filePublisher | String | File publisher. +fileProductName | String | Product name. +signer | String | File signer. +issuer | String | File issuer. +signerHash | String | Hash of the signing certificate. +isValidCertificate | Boolean | Was signing certificate successfully verified by WDATP agent. + diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5f1df97182 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,88 @@ +--- +title: Find machine information by internal IP API +description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. +keywords: ip, apis, graph api, supported apis, find machine, machine information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: high +ms.date: 07/25/2018 +--- + +# Find machine information by internal IP API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +Find a machine by internal IP. + +>[!NOTE] +>The timestamp must be within the last 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' + +## HTTP request +``` +GET /api/machines/find(timestamp={time},key={IP}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK. +If no machine found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machines/find(timestamp=2018-06-19T10:00:00Z,key='10.166.93.61') +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +The response will return a list of all machines that reported this IP address within sixteen minutes prior and after the timestamp. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#Machines", + "value": [ + { + "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb", + "computerDnsName": "", + "firstSeen": "2017-07-06T01:25:04.9480498Z", + "osPlatform": "Windows10", +… +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md index 94cb8338ce..f1e846309d 100644 --- a/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Find machine information by internal IP API description: Use this API to create calls related to finding a machine entry around a specific timestamp by internal IP. keywords: ip, apis, graph api, supported apis, find machine, machine information search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 07/25/2018 --- -# Find machine information by internal IP API +# Find machine information by internal IP API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Find a machine entity around a specific timestamp by internal IP. diff --git a/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..83d5cedfe0 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/find-machines-by-ip-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,107 @@ +--- +title: Find machines by internal IP API +description: Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +keywords: apis, graph api, supported apis, get, machine, IP, find, find machine, by ip, ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Find machines by internal IP API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Find machines seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp +- The given timestamp must be in the past 30 days. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/findbyip(ip='{IP}',timestamp={TimeStamp}) +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines were found - 200 OK with list of the machines in the response body. +If no machine found - 404 Not Found. +If the timestamp is not in the past 30 days - 400 Bad Request. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines/findbyip(ip='10.248.240.38',timestamp=2018-09-22T08:44:05Z) +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-09-22T08:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "10.248.240.38", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index 1de9e6fc6b..77d40948be 100644 --- a/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Fix unhealthy sensors in Windows Defender ATP description: Fix machine sensors that are reporting as misconfigured or inactive so that the service receives data from the machine. keywords: misconfigured, inactive, fix sensor, sensor health, no sensor data, sensor data, impaired communications, communication search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 10/23/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -39,7 +40,7 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D **Machine was offboarded**
    If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. -Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines Misconfigured machines can further be classified to: diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md index 11933fc1f8..ac3608c9c2 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get actor information API description: Retrieves an actor information report. keywords: apis, graph api, supported apis, get, actor, information search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,12 +15,13 @@ ms.date: 12/08/2017 --- -# Get actor information API +# Get actor information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves an actor information report. diff --git a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md index 7d607f80b0..c0ff5a988c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get actor related alerts API description: Retrieves all alerts related to a given actor. keywords: apis, graph api, supported apis, get, actor, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get actor related alerts API +# Get actor related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all alerts related to a given actor. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5c9436aefc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert information by ID API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves an alert by its ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body. If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts/441688558380765161_2136280442 +``` + +**Response** + +Here is an example of the response. + + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md index 7bd281c1c2..70160a3b2c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert information by ID API description: Retrieves an alert by its ID. keywords: apis, graph api, supported apis, get, alert, information, id search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert information by ID API +# Get alert information by ID API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves an alert by its ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md index feb7c72977..99fcbab5bf 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related actor information API description: Retrieves the actor information related to the specific alert. keywords: apis, graph api, supported apis, get, alert, actor, information, related search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related actor information API +# Get alert related actor information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the actor information related to the specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..a51d83949c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,86 @@ +--- +title: Get alert related domains information +description: Retrieves all domains related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related domain +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related domain information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves all domains related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/domains +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and domain exist - 200 OK. If alert not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/domains +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Domains", + "value": [ + { + "host": "www.example.com" + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md index 1dc2400622..d0cfda9671 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related domain information description: Retrieves all domains related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,11 +14,14 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related domain information API +# Get alert related domain information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +[!include[Deprecatedinformation](deprecate.md)] diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..aecd1dc46f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,99 @@ +--- +title: Get alert related files information +description: Retrieves all files related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related files +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related files information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves all files related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' +Delegated (work or school account) | File.Read.All | 'Read file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/files +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and files exist - 200 OK. If alert not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/files +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files", + "value": [ + { + "sha1": "654f19c41d9662cf86be21bf0af5a88c38c56a9d", + "sha256": "2f905feec2798cee6f63da2c26758d86bfeaab954c01e20ac7085bf55fedde87", + "md5": "82849dc81d94056224445ea73dc6153a", + "globalPrevalence": 33, + "globalFirstObserved": "2018-07-17T18:17:27.5909748Z", + "globalLastObserved": "2018-08-06T16:07:12.9414137Z", + "windowsDefenderAVThreatName": null, + "size": 801112, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": "Microsoft Windows", + "issuer": "Microsoft Development PCA 2014", + "signerHash": "9e284231a4d1c53fc8d4492b09f65116bf97447f", + "isValidCertificate": true + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md index 692038dece..cc2ec68bf7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related files information description: Retrieves all files related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related files information API +# Get alert related files information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all files related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3da5ca41df --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,89 @@ +--- +title: Get alert related IPs information +description: Retrieves all IPs related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related ip +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related IP information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves all IPs related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/ips +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and an IP exist - 200 OK. If alert not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/alerts/636688558380765161_2136280442/ips +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/$metadata#Ips", + "value": [ + { + "id": "104.80.104.128" + }, + { + "id": "23.203.232.228 + } + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md index 13d6fa451e..fba77be35c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related IP information description: Retrieves all IPs related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related IP information API +# Get alert related IP information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all IPs related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..05bf63bda9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,99 @@ +--- +title: Get alert related machine information +description: Retrieves all machines related to a specific alert. +keywords: apis, graph api, supported apis, get alert information, alert information, related machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related machine information API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves machine that is related to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine information' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/machine +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and machine exist - 200 OK. If alert not found or machine not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/machine +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines/$entity", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md index c65563b583..a9abbd55bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related machine information description: Retrieves all machines related to a specific alert. keywords: apis, graph api, supported apis, get alert information, alert information, related machine search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related machine information API +# Get alert related machine information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves all machines related to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..5d1de50542 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,90 @@ +--- +title: Get alert related user information +description: Retrieves the user associated to a specific alert. +keywords: apis, graph api, supported apis, get, alert, information, related, user +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get alert related user information API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves the user associated to a specific alert. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' +Delegated (work or school account) | User.Read.All | 'Read user profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts/{id}/user +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and alert and a user exists - 200 OK with user in the body. If alert or user not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/alerts/636688558380765161_2136280442/user +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md index 0ca328f129..cd9221b4db 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alert related user information description: Retrieves the user associated to a specific alert. keywords: apis, graph api, supported apis, get, alert, information, related, user search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alert related user information API +# Get alert related user information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves the user associated to a specific alert. diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..9b0c1f4123 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,135 @@ +--- +title: List alerts API +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +- Retrieves a collection of Alerts. +- Supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "IncidentId", "AlertCreationTime", "Status", "Severity" and "Category". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The response will include only alerts that are associated with machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/alerts +``` + +## Optional query parameters +Method supports $skip and $top query parameters. + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200 OK, and a list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) objects in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/alerts +``` + +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + + +```json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md index 91370e6ab4..30daf66f8c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get alerts API description: Retrieves top recent alerts. keywords: apis, graph api, supported apis, get, alerts, recent search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get alerts API +# Get alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves top recent alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..ae59bae72e --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,78 @@ +--- +title: Get CVE-KB map API +description: Retrieves a map of CVE's to KB's. +keywords: apis, graph api, supported apis, get, cve, kb +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get CVE-KB map API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Retrieves a map of CVE's to KB's and CVE details. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/cvekbmap +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful and map exists - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/CveKbMap +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap", + "@odata.count": 4168, + "value": [ + { + "cveKbId": "CVE-2015-2482-3097617", + "cveId": "CVE-2015-2482", + "kbId":"3097617", + "title": "Cumulative Security Update for Internet Explorer", + "severity": "Critical" + }, + … +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..639c228caf --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,129 @@ +--- +title: Get domain related alerts API +description: Retrieves a collection of alerts related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain related alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + + + + +Retrieves a collection of alerts related to a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/alerts +``` + +## Request headers + +Header | Value +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities. If domain does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/client.wns.windows.com/alerts +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + { + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` + diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md index edf69b8cc2..4d2cd0fc45 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get domain related alerts API description: Retrieves a collection of alerts related to a given domain address. keywords: apis, graph api, supported apis, get, domain, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,15 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get domain related alerts API +# Get domain related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] + Retrieves a collection of alerts related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..60229ac888 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,122 @@ +--- +title: Get domain related machines API +description: Retrieves a collection of machines related to a given domain address. +keywords: apis, graph api, supported apis, get, domain, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines that have communicated to or from a given domain address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities. If domain do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/domains/api.securitycenter.windows.com/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md index 42274f276d..9995b7a57f 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get domain related machines API description: Retrieves a collection of machines related to a given domain address. keywords: apis, graph api, supported apis, get, domain, related, machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get domain related machines API +# Get domain related machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given domain address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c940edba9f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,83 @@ +--- +title: Get domain statistics API +description: Retrieves the prevalence for the given domain. +keywords: apis, graph api, supported apis, get, domain, domain related machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get domain statistics API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves the prevalence for the given domain. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | URL.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain}/stats +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK, with statistics object in the response body. If domain does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgDomainStats", + "host": "example.com", + "orgPrevalence": "4070", + "orgFirstSeen": "2017-07-30T13:23:48Z", + "orgLastSeen": "2017-08-29T13:09:05Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md index a8d16cda6c..7cab84b5fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get domain statistics API description: Retrieves the prevalence for the given domain. keywords: apis, graph api, supported apis, get, domain, domain related machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get domain statistics API +# Get domain statistics API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the prevalence for the given domain. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..82ba0c9a36 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,97 @@ +--- +title: Get file information API +description: Retrieves a file by identifier Sha1, Sha256, or MD5. +keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file information API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a file by identifier Sha1, Sha256, or MD5. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read all file profiles' +Delegated (work or school account) | File.Read.All | 'Read all file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +GET /api/files/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with the [file](files-windows-defender-advanced-threat-protection-new.md) entity in the body. If file does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Files/$entity", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "sha256": "d4447dffdbb2889b4b4e746b0bc882df1b854101614b0aa83953ef3cb66904cf", + "md5": "7f05a371d2beffb3784fd2199f81d730", + "globalPrevalence": 7329, + "globalFirstObserved": "2018-04-08T05:50:29.4459725Z", + "globalLastObserved": "2018-08-07T23:35:11.1361328Z", + "windowsDefenderAVThreatName": null, + "size": 391680, + "fileType": "PortableExecutable", + "isPeFile": true, + "filePublisher": null, + "fileProductName": null, + "signer": null, + "issuer": null, + "signerHash": null, + "isValidCertificate": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md index 3a8aecdcdc..9683f68898 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file information API description: Retrieves a file by identifier Sha1, Sha256, or MD5. keywords: apis, graph api, supported apis, get, file, information, sha1, sha256, md5 search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file information API +# Get file information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a file by identifier Sha1, Sha256, or MD5. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..7f309c2d4b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,106 @@ +--- +title: Get file related alerts API +description: Retrieves a collection of alerts related to a given file hash. +keywords: apis, graph api, supported apis, get, file, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file related alerts API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a collection of alerts related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md index 3bc108f4c5..3967df849d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file related alerts API description: Retrieves a collection of alerts related to a given file hash. keywords: apis, graph api, supported apis, get, file, hash search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file related alerts API +# Get file related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..75017123a4 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,121 @@ +--- +title: Get file related machines API +description: Retrieves a collection of machines related to a given file hash. +keywords: apis, graph api, supported apis, get, machines, hash +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file related machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves a collection of machines related to a given file hash. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md index 46a55266b9..dc8a07b552 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file related machines API description: Retrieves a collection of machines related to a given file hash. keywords: apis, graph api, supported apis, get, machines, hash search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file related machines API +# Get file related machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given file hash. diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..3f661dc422 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,92 @@ +--- +title: Get file statistics API +description: Retrieves the prevalence for the given file. +keywords: apis, graph api, supported apis, get, file, statistics +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get file statistics API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + + + + +Retrieves the prevalence for the given file. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | File.Read.All | 'Read file profiles' +Delegated (work or school account) | File.Read.All | 'Read file profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/files/{id}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and file exists - 200 OK with statistical data in the body. If file do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/files/6532ec91d513acc05f43ee0aa3002599729fd3e1/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgFileStats", + "sha1": "6532ec91d513acc05f43ee0aa3002599729fd3e1", + "orgPrevalence": "3", + "orgFirstSeen": "2018-07-15T06:13:59Z", + "orgLastSeen": "2018-08-03T16:45:21Z", + "topFileNames": [ + "chrome_1.exe", + "chrome_2.exe" + ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md index 379a272b7f..e7b702fac8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get file statistics API description: Retrieves the prevalence for the given file. keywords: apis, graph api, supported apis, get, file, statistics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get file statistics API +# Get file statistics API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Retrieves the prevalence for the given file. diff --git a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md index 58ec0179eb..b83bae0e6d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get FileActions collection API description: Use this API to create calls related to get fileactions collection keywords: apis, graph api, supported apis, get, file, information, fileactions collection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get FileActions collection API +# Get FileActions collection API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Gets collection of actions done on files. Get FileActions collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md index e30ca834b1..5fc6065ee7 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get FileMachineAction object API description: Use this API to create calls related to get machineaction object keywords: apis, graph api, supported apis, filemachineaction object search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get FileMachineAction object API +# Get FileMachineAction object API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Gets file and machine actions. diff --git a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md index 4f981ccd54..b00ad9d909 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get FileMachineActions collection API description: Use this API to create calls related to get filemachineactions collection keywords: apis, graph api, supported apis, filemachineactions collection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get FileMachineActions collection API +# Get FileMachineActions collection API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Get collection of file and machine actions. Get FileMachineActions collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..369f38ef43 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Get IP related alerts API +description: Retrieves a collection of alerts related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP related alerts API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of alerts related to a given IP address. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md index b1ad30ecd5..3502e90557 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get IP related alerts API description: Retrieves a collection of alerts related to a given IP address. keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get IP related alerts API +# Get IP related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given IP address. diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..628d8def35 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,122 @@ +--- +title: Get IP related machines API +description: Retrieves a collection of machines related to a given IP address. +keywords: apis, graph api, supported apis, get, ip, related, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP related machines API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + +Retrieves a collection of machines that communicated with or from a particular IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "riskScore": "Low", + "rbacGroupName": "The-A-Team", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md index 1796c563b1..72071848e6 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get IP related machines API description: Retrieves a collection of machines related to a given IP address. keywords: apis, graph api, supported apis, get, ip, related, machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -36,8 +37,7 @@ Content type | application/json Empty ## Response -If successful and IP and machines exists - 200 OK. -If IP or machines do not exist - 404 Not Found. +If successful and IP and machines exists - 200 OK. If IP or machines do not exist - 404 Not Found. ## Example diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..763444713a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,85 @@ +--- +title: Get IP statistics API +description: Retrieves the prevalence for the given IP. +keywords: apis, graph api, supported apis, get, ip, statistics, prevalence +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get IP statistics API +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + + + +Retrieves the prevalence for the given IP. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip}/stats +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and ip exists - 200 OK with statistical data in the body. IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177/stats +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#microsoft.windowsDefenderATP.api.InOrgIPStats", + "ipAddress": "10.209.67.177", + "orgPrevalence": "63515", + "orgFirstSeen": "2017-07-30T13:36:06Z", + "orgLastSeen": "2017-08-29T13:32:59Z" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md index f04eee146e..04783ac39e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get IP statistics API description: Retrieves the prevalence for the given IP. keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 12/08/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..700a3ded7d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Get KB collection API +description: Retrieves a collection of KB's. +keywords: apis, graph api, supported apis, get, kb +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get KB collection API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Retrieves a collection of KB's and KB details. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/kbinfo +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/KbInfo +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo", + "@odata.count": 271, + "value":[ + { + "id": "KB3097617 (10240.16549) Amd64", + "release": "KB3097617 (10240.16549)", + "publishingDate": "2015-10-16T21:00:00Z", + "version": "10.0.10240.16549", + "architecture": "Amd64" + }, + … +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..9c3d3c0eeb --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,103 @@ +--- +title: Get machine by ID API +description: Retrieves a machine entity by ID. +keywords: apis, graph api, supported apis, get, machines, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine by ID API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves a machine entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +GET /api/machines/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with the [machine](machine-windows-defender-advanced-threat-protection-new.md) entity in the body. +If machine with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07 +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machine", + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md index cdb7691d99..66f525a094 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machine by ID API description: Retrieves a machine entity by ID. keywords: apis, graph api, supported apis, get, machines, entity, id search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machine by ID API +# Get machine by ID API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a machine entity by ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..93e70b3e10 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,104 @@ +--- +title: Get machine log on users API +description: Retrieves a collection of logged on users. +keywords: apis, graph api, supported apis, get, machine, log on, users +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine log on users API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a collection of logged on users. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read user profiles' +Delegated (work or school account) | User.Read.All | 'Read user profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include users only if the machine is visible to the user, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/{id}/logonusers +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exist - 200 OK with list of [user](user-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users", + "value": [ + { + "id": "contoso\\user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + }, + { + "id": "contoso\\user2", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-05T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md index f73f0600fd..13530b98e5 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machine log on users API description: Retrieves a collection of logged on users. keywords: apis, graph api, supported apis, get, machine, log on, users search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machine log on users API +# Get machine log on users API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of logged on users. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..22e929fc9c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Get machine related alerts API +description: Retrieves a collection of alerts related to a given machine ID. +keywords: apis, graph api, supported apis, get, machines, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machine related alerts API + +[!include[Prereleaseinformation](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a collection of alerts related to a given machine ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- User needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/machines/{id}/alerts +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machine exists - 200 OK with list of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities in the body. If machine was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md index 2cbf47c5da..4803e86973 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machine related alerts API description: Retrieves a collection of alerts related to a given machine ID. keywords: apis, graph api, supported apis, get, machines, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machine related alerts API +# Get machine related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given machine ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..bfda8dcbcd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,92 @@ +--- +title: Get MachineAction object API +description: Use this API to create calls related to get machineaction object +keywords: apis, graph api, supported apis, machineaction object +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get machineAction API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Get action performed on a machine. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. If machine action entity with the specified id was not found - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machineactions/2e9da30d-27f6-4208-81f2-9cd3d67893ba +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md index 21214216c0..b3ed113094 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get MachineAction object API description: Use this API to create calls related to get machineaction object keywords: apis, graph api, supported apis, machineaction object search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get MachineAction object API +# Get MachineAction object API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Get actions done on a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..1e956940fa --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,174 @@ +--- +title: List machineActions API +description: Use this API to create calls related to get machineactions collection +keywords: apis, graph api, supported apis, machineaction collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List MachineActions API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Gets collection of actions done on machines. +- Get MachineAction collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "Status", "MachineId", "Type", "Requestor" and "CreationDateTimeUtc". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [machineAction](machineaction-windows-defender-advanced-threat-protection-new.md) entities. + + +## Example 1 + +**Request** + +Here is an example of the request on an organization that has three MachineActions. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machineactions +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", + "relatedFileInfo": null + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null + }, + { + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2018-12-04T12:16:14.2899973Z", + "relatedFileInfo": { + "fileIdentifier": "a0c659857ccbe457fdaf5fe21d54efdcbf6f6508", + "fileIdentifierType": "Sha1" + } + } + ] +} +``` + +## Example 2 + +**Request** + +Here is an example of a request that filters the MachineActions by machine ID and shows the latest two MachineActions. + +``` +GET https://api.securitycenter.windows.com/api/machineactions?$filter=machineId eq 'f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f'&$top=2 +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions", + "value": [ + { + "id": "69dc3630-1ccc-4342-acf3-35286eec741d", + "type": "CollectInvestigationPackage", + "requestor": "Analyst@contoso.com", + "requestorComment": "test", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:43:57.2011911Z", + "lastUpdateTimeUtc": "2018-12-04T12:45:25.4049122Z", + "relatedFileInfo": null + }, + { + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "Succeeded", + "machineId": "f46b9bb259ed4a7fb9981b73510e3cc7aa81ec1f", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:57.5511934Z", + "relatedFileInfo": null + } + ] +} +``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md index 4f8250057a..0983daee3c 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get MachineActions collection API description: Use this API to create calls related to get machineactions collection keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get MachineActions collection API +# Get MachineActions collection API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Gets collection of actions done on machines. Get MachineAction collection API supports OData V4 queries. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..d98a86a488 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,77 @@ +--- +title: Get RBAC machine groups collection API +description: Retrieves a collection of RBAC machine groups. +keywords: apis, graph api, supported apis, get, RBAC, group +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get KB collection API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Retrieves a collection of RBAC machine groups. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machinegroups +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machinegroups +Content-type: application/json +``` + +**Response** + +Here is an example of the response. +Field id contains machine group **id** and equal to field **rbacGroupId** in machines info. +Field **ungrouped** is true only for one group for all machines that have not been assigned to any group. This group as usual has name "UnassignedGroup". + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups", + "@odata.count":7, + "value":[ + { + "id":86, + "name":"UnassignedGroup", + "description":"", + "ungrouped":true}, + … +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..15817d675c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,128 @@ +--- +title: List machines API +description: Retrieves a collection of recently seen machines. +keywords: apis, graph api, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List machines API + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Retrieves a collection of machines that have communicated with WDATP cloud on the last 30 days. +- Get Machines collection API supports [OData V4 queries](https://www.odata.org/documentation/). +- The OData's Filter query is supported on: "Id", "ComputerDnsName", "LastSeen", "LastIpAddress", "HealthStatus", "OsPlatform", "RiskScore", "MachineTags" and "RbacGroupId". +- See examples at [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) + +## Permissions + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and machines exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If no recent machines - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` + +## Related topics +- [OData queries with Windows Defender ATP](exposed-apis-odata-samples.md) diff --git a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md index 15f5915642..2aae8e0d5d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get machines API description: Retrieves a collection of recently seen machines. keywords: apis, graph api, supported apis, get, machines search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get machines API +# Get machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of recently seen machines. diff --git a/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..8880d2c1b8 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md @@ -0,0 +1,84 @@ +--- +title: Get machines security states collection API +description: Retrieves a collection of machines security states. +keywords: apis, graph api, supported apis, get, machine, security, state +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: leonidzh +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/07/2018 +--- + +# Get Machines security states collection API + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Retrieves a collection of machines security states. + +## Permissions +User needs read permissions. + +## HTTP request +``` +GET /testwdatppreview/machinesecuritystates +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content type | application/json + +## Request body +Empty + +## Response +If successful - 200 OK. + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates +Content-type: application/json +``` + +**Response** + +Here is an example of the response. +Field *id* contains machine id and equal to the field *id** in machines info. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates", + "@odata.count":444, + "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]", + "value":[ + { + "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4", + "build":14393, + "revision":2485, + "architecture":"Amd64", + "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809", + "propertiesRequireAttention":[ + "AntivirusNotReporting", + "EdrImpairedCommunications" + ] + }, + … + ] +} +``` \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..6b90d0ff62 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,84 @@ +--- +title: Get package SAS URI API +description: Use this API to get a URI that allows downloading an investigation package. +keywords: apis, graph api, supported apis, get package, sas, uri +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get package SAS URI API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Get a URI that allows downloading of an [investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.CollectForensics | 'Collect forensics' +Delegated (work or school account) | Machine.CollectForensics | 'Collect forensics' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts Investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/machineactions/{machine action id}/getPackageUri +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with object that holds the link to the package in the “value” parameter. This link is valid for a very short time and should be used immediately for downloading the package to a local storage. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/machineactions/7327b54fd718525cbca07dacde913b5ac3c85673/GetPackageUri + +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +HTTP/1.1 200 Ok +Content-type: application/json + +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Edm.String", + "value": "\"https://userrequests-us.securitycenter.windows.com:443/safedownload/WDATP_Investigation_Package.zip?token=gbDyj7y%2fbWGAZjn2sFiZXlliBTXOCVG7yiJ6mXNaQ9pLByC2Wxeno9mENsPFP3xMk5l%2bZiJXjLvqAyNEzUNROxoM2I1er9dxzfVeBsxSmclJjPsAx%2btiNyxSz1Ax%2b5jaT5cL5bZg%2b8wgbwY9urXbTpGjAKh6FB1e%2b0ypcWkPm8UkfOwsmtC%2biZJ2%2bPqnkkeQk7SKMNoAvmh9%2fcqDIPKXGIBjMa0D9auzypOqd8bQXp7p2BnLSH136BxST8n9IHR4PILvRjAYW9kvtHkBpBitfydAsUW4g2oDZSPN3kCLBOoo1C4w4Lkc9Bc3GNU2IW6dfB7SHcp7G9p4BDkeJl3VuDs6esCaeBorpn9FKJ%2fXo7o9pdcI0hUPZ6Ds9hiPpwPUtz5J29CBE3QAopCK%2fsWlf6OW2WyXsrNRSnF1tVE5H3wXpREzuhD7S4AIA3OIEZKzC4jIPLeMu%2bazZU9xGwuc3gICOaokbwMJiZTqcUuK%2fV9YdBdjdg8wJ16NDU96Pl6%2fgew2KYuk6Wo7ZuHotgHI1abcsvdlpe4AvixDbqcRJthsg2PpLRaFLm5av44UGkeK6TJpFvxUn%2f9fg6Zk5yM1KUTHb8XGmutoCM8U9er6AzXZlY0gGc3D3bQOg41EJZkEZLyUEbk1hXJB36ku2%2bW01cG71t7MxMBYz7%2bdXobxpdo%3d%3bRWS%2bCeoDfTyDcfH5pkCg6hYDmCOPr%2fHYQuaUWUBNVnXURYkdyOzVHqp%2fe%2f1BNyPdVoVkpQHpz1pPS3b5g9h7IMmNKCk5gFq5m2nPx6kk9EYtzx8Ndoa2m9Yj%2bSaf8zIFke86YnfQL4AYewsnQNJJh4wc%2bXxGlBq7axDcoiOdX91rKzVicH3GSBkFoLFAKoegWWsF%2fEDZcVpF%2fXUA1K8HvB6dwyfy4y0sAqnNPxYTQ97mG7yHhxPt4Pe9YF2UPPAJVuEf8LNlQ%2bWHC9%2f7msF6UUI4%2fca%2ftpjFs%2fSNeRE8%2fyQj21TI8YTF1SowvaJuDc1ivEoeopNNGG%2bGI%2fX0SckaVxU9Hdkh0zbydSlT5SZwbSwescs0IpzECitBbaLUz4aT8KTs8T0lvx8D7Te3wVsKAJ1r3iFMQZrlk%2bS1WW8rvac7oHRx2HKURn1v7fDIQWgJr9aNsNlFz4fLJ50T2qSHuuepkLVbe93Va072aMGhvr09WVKoTpAf1j2bcFZZU6Za5PxI32mr0k90FgiYFJ1F%2f1vRDrGwvWVWUkR3Z33m4g0gHa52W1FMxQY0TJIwbovD6FaSNDx7xhKZSd5IJ7r6P91Gez49PaZRcAZPjd%2bfbul3JNm1VqQPTLohT7wa0ymRiXpSST74xtFzuEBzNSNATdbngj3%2fwV4JesTjZjIj5Dc%3d%3blumqauVlFuuO8MQffZgs0tLJ4Fq6fpeozPTdDf8Ll6XLegi079%2b4mSPFjTK0y6eohstxdoOdom2wAHiZwk0u4KLKmRkfYOdT1wHY79qKoBQ3ZDHFTys9V%2fcwKGl%2bl8IenWDutHygn5IcA1y7GTZj4g%3d%3d\"" +} + + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md index b000396208..688491a75d 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get package SAS URI API description: Use this API to get a URI that allows downloading an investigation package. keywords: apis, graph api, supported apis, get package, sas, uri search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get package SAS URI API +# Get package SAS URI API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Get a URI that allows downloading of an investigation package. diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md index ea37ae0629..5cbdd37666 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-started.md +++ b/windows/security/threat-protection/windows-defender-atp/get-started.md @@ -3,6 +3,7 @@ title: Get started with Windows Defender Advanced Threat Protection description: Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. keywords: get started, minimum requirements, setup, subscription, features, data storage, privacy, user access search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,10 +11,18 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/20/2018 --- # Get started with Windows Defender Advanced Threat Protection +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP. The following capabilities are available across multiple products that make up the Windows Defender ATP platform. @@ -40,7 +49,7 @@ Advanced hunting allows you to hunt for possible threats across your organizatio Integrate Windows Defender Advanced Threat Protection into your existing workflows. **Microsoft threat protection**
    -Bring the power of Microsoft threat protection to your organization. +Bring the power of Microsoft Threat Protection to your organization. ## In this section Topic | Description diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ccd438a908 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,92 @@ +--- +title: Get Ti Indicator by ID API +description: Retrieves Ti Indicator entity by ID. +keywords: apis, public api, supported apis, get, ti indicator, entity, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get TI Indicator by ID API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) +Retrieves a TI Indicator entity by ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators/{id} +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and TI Indicator exists - 200 OK with the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the body. +If TI Indicator with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/tiindicators/220e7d15b0b3d7fac48f2bd61114db1022197f7f +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-0cfe-4cc6-925f-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d2c398ee0f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,109 @@ +--- +title: List TiIndicators API +description: Use this API to create calls related to get TiIndicators collection +keywords: apis, public api, supported apis, TiIndicators collection +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# List TiIndicators API + +[!include[Prereleaseinformation](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + Gets collection of TI Indicators. + Get TI Indicators collection API supports [OData V4 queries](https://www.odata.org/documentation/). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful, this method returns 200, Ok response code with a collection of [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. + +>[!Note] +> The response will only include TI Indicators that submitted by the calling Application. + + +## Example + +**Request** + +Here is an example of a request that gets all TI Indicators + +``` +GET https://api.securitycenter.windows.com/api/tiindicators +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 Ok +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#TiIndicators", + "value": [ + { + "indicator": "12.13.14.15", + "indicatorType": "IpAddress", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T11:15:35.3688259Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "test" + }, + { + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..ef4ed492c9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,85 @@ +--- +title: Get user information API +description: Retrieve a User entity by key such as user name or domain. +keywords: apis, graph api, supported apis, get, user, user information +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user information API + +[!include[Prerelease information](prerelease.md)] + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +Retrieve a User entity by key (user name). + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | User.Read.All | 'Read all user profiles' + +## HTTP request +``` +GET /api/users/{id}/ +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK with [user](user-windows-defender-advanced-threat-protection-new.md) entity in the body. If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1 +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Users/$entity", + "id": "user1", + "firstSeen": "2018-08-02T00:00:00Z", + "lastSeen": "2018-08-04T00:00:00Z", + "mostPrevalentMachineId": null, + "leastPrevalentMachineId": null, + "logonTypes": "Network", + "logOnMachinesCount": 3, + "isDomainAdmin": false, + "isOnlyNetworkUser": null +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md index 44a41412fe..86880c519e 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get user information API description: Retrieve a User entity by key such as user name or domain. keywords: apis, graph api, supported apis, get, user, user information search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get user information API +# Get user information API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieve a User entity by key (user name or domain\user). diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..f78eff0109 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,125 @@ +--- +title: Get user related alerts API +description: Retrieves a collection of alerts related to a given user ID. +keywords: apis, graph api, supported apis, get, user, related, alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user related alerts API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of alerts related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alert.Read.All | 'Read all alerts' +Application | Alert.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.Read | 'Read alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only alerts, associated with machines, that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/users/{id}/alerts +``` + +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exist - 200 OK. If the user do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1/alerts +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts", + "value": [ + { + "id": "441688558380765161_2136280442", + "incidentId": 8633, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-25T16:19:21.8409809Z", + "firstEventTime": "2018-11-25T16:17:50.0948658Z", + "lastEventTime": "2018-11-25T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + }, + { + "id": "121688558380765161_2136280442", + "incidentId": 4123, + "assignedTo": "secop@contoso.com", + "severity": "Low", + "status": "InProgress", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-24T16:19:21.8409809Z", + "firstEventTime": "2018-11-24T16:17:50.0948658Z", + "lastEventTime": "2018-11-24T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md index 12c741d3fe..ec40578526 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get user related alerts API description: Retrieves a collection of alerts related to a given user ID. keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,16 +11,16 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/08/2017 +ms.date: 11/15/2018 --- -# Get user related alerts API +# Get user related alerts API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of alerts related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..da315671ca --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,125 @@ +--- +title: Get user related machines API +description: Retrieves a collection of machines related to a given user ID. +keywords: apis, graph api, supported apis, get, user, user related alerts +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Get user related machines API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Retrieves a collection of machines related to a given user ID. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Read.All | 'Read all machine profiles' +Application | Machine.ReadWrite.All | 'Read and write all machine information' +Delegated (work or school account) | Machine.Read | 'Read machine information' +Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine information' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- Response will include only machines that the user can access, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/users/{id}/machines +``` + +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and user exists - 200 OK with list of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the body. If user does not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/users/user1/machines +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Machines", + "value": [ + { + "id": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "computerDnsName": "mymachine1.contoso.com", + "firstSeen": "2018-08-02T14:55:03.7791856Z", + "lastSeen": "2018-08-02T14:55:03.7791856Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "172.17.230.209", + "lastExternalIpAddress": "167.220.196.71", + "agentVersion": "10.5830.18209.1001", + "osBuild": 18209, + "healthStatus": "Active", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": true, + "aadDeviceId": "80fe8ff8-2624-418e-9591-41f0491218f9", + "machineTags": [ "test tag 1", "test tag 2" ] + }, + { + "id": "7292e4b8cb74ff1cc3d8a495eb29dc8858b732f7", + "computerDnsName": "mymachine2.contoso.com", + "firstSeen": "2018-07-09T13:22:45.1250071Z", + "lastSeen": "2018-07-09T13:22:45.1250071Z", + "osPlatform": "Windows10", + "osVersion": "10.0.0.0", + "lastIpAddress": "192.168.12.225", + "lastExternalIpAddress": "79.183.65.82", + "agentVersion": "10.5820.17724.1000", + "osBuild": 17724, + "healthStatus": "Inactive", + "rbacGroupId": 140, + "rbacGroupName": "The-A-Team", + "riskScore": "Low", + "isAadJoined": false, + "aadDeviceId": null, + "machineTags": [ "test tag 1" ] + } + ] +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md index 80a2b92234..11f719ebd8 100644 --- a/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Get user related machines API description: Retrieves a collection of machines related to a given user ID. keywords: apis, graph api, supported apis, get, user, user related alerts search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Get user related machines API +# Get user related machines API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Retrieves a collection of machines related to a given user ID. diff --git a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md index 199ece9336..0f25416ca8 100644 --- a/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md +++ b/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows.md @@ -2,6 +2,7 @@ title: How hardware-based containers help protect Windows 10 (Windows 10) description: Windows 10 uses containers to isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png b/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png new file mode 100644 index 0000000000..ff9c97c86e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/AH_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png new file mode 100644 index 0000000000..887498f7bc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/AR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png new file mode 100644 index 0000000000..28b5b3156f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ASR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png new file mode 100644 index 0000000000..7e6df62bdf Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/EDR_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png new file mode 100644 index 0000000000..df1b70e041 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/NGP_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png b/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png new file mode 100644 index 0000000000..95908405ce Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/SS_icon.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png index 5f0e1199b6..afff6b7093 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-action-center-with-info.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png b/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png index d980fc4ed9..233b126c5b 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-av-scan-action-center.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png new file mode 100644 index 0000000000..93e294ec2b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-assign-role.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png index a4a07d3b92..4449661657 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-azure-new-app.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png b/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png index c46cc214d7..78290030a9 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-example-email-notification.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png index 0135cd0a3f..bb11c88b62 100644 Binary files a/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png and b/windows/security/threat-protection/windows-defender-atp/images/atp-incident-details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png new file mode 100644 index 0000000000..7fcdfcc834 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-incidentlinkedbyreason.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png new file mode 100644 index 0000000000..d103afdb87 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-linkedbytooltip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png new file mode 100644 index 0000000000..7fcdfcc834 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-reason.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png new file mode 100644 index 0000000000..d103afdb87 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-incidents-alerts-tooltip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png new file mode 100644 index 0000000000..f66b75a274 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-aip.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png new file mode 100644 index 0000000000..68d57863d9 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-settings-powerbi.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png new file mode 100644 index 0000000000..0148a800b2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/azure-data-discovery.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png new file mode 100644 index 0000000000..ac8a62b883 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/enable_siem.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png new file mode 100644 index 0000000000..867fb4d976 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-choose-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png new file mode 100644 index 0000000000..51588e0bdc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-define-action.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png new file mode 100644 index 0000000000..f33aa04682 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-e2e.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png new file mode 100644 index 0000000000..1f15b39220 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-insert-db.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png new file mode 100644 index 0000000000..b42c9ec193 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-parse-json.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png new file mode 100644 index 0000000000..89e20f3a67 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/ms-flow-read-db.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png new file mode 100644 index 0000000000..1f7f423e49 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png new file mode 100644 index 0000000000..eb866e3cce Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-add-permissions-end.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png new file mode 100644 index 0000000000..05d76ec807 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png new file mode 100644 index 0000000000..92f46bf116 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-decoded-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png new file mode 100644 index 0000000000..859e4fa8a3 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-get-appid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png new file mode 100644 index 0000000000..2114b14c4d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/nativeapp-select-permissions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png new file mode 100644 index 0000000000..750bd6e459 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/office-scc-label.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png new file mode 100644 index 0000000000..d5fdf37ac2 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-advanced-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png new file mode 100644 index 0000000000..d060becd5b Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-create-blank-query.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png new file mode 100644 index 0000000000..62c96acf75 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-credentials.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png new file mode 100644 index 0000000000..7098c8a543 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-edit-data-privacy.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png new file mode 100644 index 0000000000..5c340e3138 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-open-advanced-editor.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png new file mode 100644 index 0000000000..b94ee3a009 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-query-results.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png new file mode 100644 index 0000000000..dce1698521 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-anonymous.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png new file mode 100644 index 0000000000..049d3ed6ee Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational-cont.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png new file mode 100644 index 0000000000..054470d70e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-credentials-organizational.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png new file mode 100644 index 0000000000..00a8756c43 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/power-bi-set-data-privacy.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/siem_details.png b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png new file mode 100644 index 0000000000..94c724f0c8 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/siem_details.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png new file mode 100644 index 0000000000..8123965c84 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-2.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png new file mode 100644 index 0000000000..40f15eb65a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission-end.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png new file mode 100644 index 0000000000..38e98ce07d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-add-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png new file mode 100644 index 0000000000..4ddb1fae83 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create-key.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png new file mode 100644 index 0000000000..a091db0189 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-create.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png new file mode 100644 index 0000000000..be98e49216 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-decoded-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png new file mode 100644 index 0000000000..47203a8151 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-multitenant.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png new file mode 100644 index 0000000000..1b8396b50e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-edit-settings.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png new file mode 100644 index 0000000000..103081f82c Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-get-appid.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png new file mode 100644 index 0000000000..b7c7e0926f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-grant-permissions.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png new file mode 100644 index 0000000000..8edc069eaf Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-select-permission.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png new file mode 100644 index 0000000000..c813929e31 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png differ diff --git a/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md new file mode 100644 index 0000000000..afb2f9bbdd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/improverequestperformance-new.md @@ -0,0 +1,23 @@ +--- +title: +description: +keywords: +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 04/24/2018 +--- + +# Improve request performance + + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md new file mode 100644 index 0000000000..01abcc2317 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/incidents-queue.md @@ -0,0 +1,36 @@ +--- +title: Incidents queue in Windows Defender ATP +description: +keywords: incidents, aggregate, investigations, queue, ttp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/08/2018 +--- + +# Incidents queue in Windows Defender ATP +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. + +Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. + + +## In this section + +Topic | Description +:---|:--- +[View and organize the Incidents queue](view-incidents-queue.md)| See the list of incidents and learn how to apply filters to limit the list and get a more focused view. +[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions. +[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)| See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident. + + diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md new file mode 100644 index 0000000000..b0644db04c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-config.md @@ -0,0 +1,49 @@ +--- +title: Configure information protection in Windows +description: Learn how to expand the coverage of WIP to protect files based on their label, regardless of their origin. +keywords: information, protection, data, loss, prevention, wip, policy, scc, compliance, labels, dlp +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/05/2018 +--- + +# Configure information protection in Windows +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Learn how you can use Windows Defender ATP to expand the coverage of Windows Information Protection (WIP) to protect files based on their label, regardless of their origin. + +## Prerequisites +- Endpoints need to be on Windows 10, version 1809 or later +- You'll need the appropriate license to leverage the Windows Defender ATP and Azure Information Protection integration +- Your tenant needs to be onboarded to Azure Information Protection analytics, for more information see, [Configure a Log Analytics workspace for the reports](https://docs.microsoft.comazure/information-protection/reports-aip#configure-a-log-analytics-workspace-for-the-reports) + + +## Configuration steps +1. Define a WIP policy and assign it to the relevant devices. For more information, see [Protect your enterprise data using Windows Information Protection (WIP)](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip). If WIP is already configured on the relevant devices, skip this step. +2. Define which labels need to get WIP protection in Office 365 Security and Compliance. + + 1. Go to: **Classifications > Labels**. + 2. Create a new label or edit an existing one. + 3. In the configuration wizard, go to 'Data loss prevention' tab and enable WIP. + + ![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) + + 4. Repeat for every label that you want to get WIP applied to in Windows. + +After completing these steps Windows Defender ATP will automatically identify labeled documents stored on the device and enable WIP on them. + +>[!NOTE] +>- The Windows Defender ATP configuration is pulled every 15 minutes. Allow up to 30 minutes for the new policy to take effect and ensure that the endpoint is online. Otherwise, it will not receive the policy. +>- Data forwarded to Azure Information Protection is stored in the same location as your other Azure Information Protection data. + +## Related topic +- [Information protection in Windows overview](information-protection-in-windows-overview.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md new file mode 100644 index 0000000000..b71095b5fc --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview.md @@ -0,0 +1,95 @@ +--- +title: Information protection in Windows overview +description: Learn about how information protection works in Windows to identify and protect sensitive information +keywords: information, protection, dlp, wip, data, loss, prevention, protect +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/05/2018 +--- + +# Information protection in Windows overview +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Information protection is an integral part of Microsoft 365 Enterprise suite, providing intelligent protection to keep sensitive data secure while enabling productivity in the workplace. + + +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. + + +Windows Defender ATP applies two methods to discover and protect data: +- **Data discovery** - Identify sensitive data on Windows devices at risk +- **Data protection** - Windows Information Protection (WIP) as outcome of Azure Information Protection label + + +## Data discovery +Windows Defender ATP automatically discovers files with sensitivity labels on Windows devices when the feature is enabled. You can enable the Azure Information Protection integration feature from Windows Defender Security Center. For more information, see [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md#azure-information-protection). + + +![Image of settings page with Azure Information Protection](images/atp-settings-aip.png) + +After enabling the Azure Information Protection integration, data discovery signals are immediately forwarded to Azure Information Protection from the device. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically reports the signal to Azure Information Protection. + +The reported signals can be viewed on the Azure Information Protection - Data discovery dashboard. + +### Azure Information Protection - Data discovery dashboard +This dashboard presents a summarized discovery information of data discovered by both Windows Defender ATP and Azure Information Protection. Data from Windows Defender ATP is marked with Location Type - Endpoint. + +![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) + + +Notice the Device Risk column on the right, this device risk is derived directly from Windows Defender ATP, indicating the risk level of the security device where the file was discovered, based on the active security threats detected by Windows Defender ATP. + +Clicking the device risk level will redirect you to the device page in Windows Defender ATP, where you can get a comprehensive view of the device security status and its active alerts. + + +>[!NOTE] +>Windows Defender ATP does not currently report the Information Types. + +### Log Analytics +Data discovery based on Windows Defender ATP is also available in [Azure Log Analytics](https://docs.microsoft.com/azure/log-analytics/log-analytics-overview), where you can perform complex queries over the raw data. + +For more information on Azure Information Protection analytics, see [Central reporting for Azure Information Protection](https://docs.microsoft.com/azure/information-protection/reports-aip). + +Open Azure Log Analytics in Azure Portal and open a query builder (standard or classic). + +To view Windows Defender ATP data, perform a query that contains: + + +``` +InformationProtectionLogs_CL +| where Workload_s == "Windows Defender" +``` + +**Prerequisites:** +- Customers must have a subscription for Azure Information Protection. +- Enable Azure Information Protection integration in Windows Defender Security Center: + - Go to **Settings** in Windows Defender Security Center, click on **Advanced Settings** under **General**. + + +## Data protection +For data to be protected, they must first be identified through labels. Sensitivity labels are created in Office Security and Compliance (SCC). Windows Defender ATP then uses the labels to identify endpoints that need Windows Information Protection (WIP) applied on them. + + +When you create sensitivity labels, you can set the information protection functionalities that will be applied on the file. The setting that applies to Windows Defender ATP is the Data loss prevention. You'll need to turn on the Data loss prevention and select Enable Windows end point protection (DLP for devices). + + +![Image of Office 365 Security and Compliance sensitivity label](images/office-scc-label.png) + +Once, the policy is set and published, Windows Defender ATP automatically enables WIP for labeled files. When a labeled file is created or modified on a Windows device, Windows Defender ATP automatically detects it and enables WIP on that file if its label corresponds with Office Security and Compliance (SCC) policy. + +This functionality expands the coverage of WIP to protect files based on their label, regardless of their origin. + +For more information, see [Configure information protection in Windows](information-protection-in-windows-config.md). + + +## Related topics +- [How Windows Information Protection protects files with a sensitivity label](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 3842b1c129..55f697cb46 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate Windows Defender Advanced Threat Protection alerts description: Use the investigation options to get details on alerts are affecting your network, what they mean, and how to resolve them. keywords: investigate, investigation, machines, machine, alerts queue, dashboard, IP address, file, submit, submissions, deep analysis, timeline, search, domain, URL, IP search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -53,14 +54,11 @@ Some actor profiles include a link to download a more comprehensive threat intel The detailed alert profile helps you understand who the attackers are, who they target, what techniques, tools, and procedures (TTPs) they use, which geolocations they are active in, and finally, what recommended actions you may take. In many cases, you can download a more detailed Threat Intelligence report about this attacker or campaign for offline reading. ## Alert process tree -The **Alert process tree** takes alert triage and investigation to the next level, displaying the alert and related evidence, together with other events that occurred within the same execution context and time. This rich triage context of the alert and surrounding events is available on the alert page. +The **Alert process tree** takes alert triage and investigation to the next level, displaying the aggregated alert and surrounding evidence that occurred within the same execution context and time period. This rich triage and investigation context is available on the alert page. ![Image of the alert process tree](images/atp-alert-process-tree.png) -The **Alert process tree** expands to display the execution path of the alert, its evidence, and related events that occurred in the minutes - before and after - the alert. - -The alert and related events or evidence have circles with thunderbolt icons inside them. - +The **Alert process tree** expands to display the execution path of the alert and related evidence that occurred around the same period. Items marked with a thunderbolt icon should be given priority during investigation. >[!NOTE] >The alert process tree might not be available in some alerts. diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index 6e47b6ddea..3529488b89 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate Windows Defender Advanced Threat Protection domains description: Use the investigation options to see if machines and servers have been communicating with malicious domains. keywords: investigate domain, domain, malicious domain, windows defender atp, alert, URL search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index 6640bb6e9f..196e04a38f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate Windows Defender Advanced Threat Protection files description: Use the investigation options to get details on files associated with alerts, behaviours, or events. keywords: investigate, investigation, file, malicious activity, attack motivation, deep analysis, deep analysis report search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..464c9131b9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md @@ -0,0 +1,79 @@ +--- +title: Investigate incidents in Windows Defender ATP +description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident +keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/08/2018 +--- + +# Investigate incidents in Windows Defender ATP + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. + +## Analyze incident details +Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). + +![Image of incident details](images/atp-incident-details.png) + +### Alerts +You can investigate the alerts and see how they were linked together in an incident. +Alerts are grouped into incidents based on the following reasons: +- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert +- File characteristics - The files associated with the alert have similar characteristics +- Manual association - A user manually linked the alerts +- Proximate time - The alerts were triggered on the same machine within a certain timeframe +- Same file - The files associated with the alert are exactly the same + +![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-tooltip.png) + +![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-reason.png) + +You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). + +### Machines +You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). + +![Image of machines tab in incident details page](images/atp-incident-machine-tab.png) + +### Investigations +Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts. + +![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png) + +## Going through the evidence +Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident. +Each of the analyzed entities will be marked as infected, remediated, or suspicious. + +![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png) + +## Visualizing associated cybersecurity threats +Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph. + +### Incident graph +The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc. + +![Image of the incident graph](images/atp-incident-graph-tab.png) + +You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances. + +![Image of indcident details](images/atp-incident-graph-details.png) + +## Related topics +- [Incidents queue](incidents-queue.md) +- [View and organize the Incidents queue](view-incidents-queue.md) +- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) + + diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 29592bd0f8..0a5384f47f 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate an IP address associated with an alert description: Use the investigation options to examine possible communication between machines and external IP addresses. keywords: investigate, investigation, IP address, alert, windows defender atp, external IP search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index c88e3f9b5e..2c1fdf3100 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate machines in the Windows Defender ATP Machines list description: Investigate affected machines by reviewing alerts, network connection information, adding machine tags and groups, and checking the service health. keywords: machines, tags, groups, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity, service heatlh search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 09/18/2018 --- # Investigate machines in the Windows Defender ATP Machines list **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-investigatemachines-abovefoldlink) @@ -60,7 +61,7 @@ You'll also see details such as logon types for each user account, the user grou For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). **Machine risk**
    -The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to. +The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to. **Azure Advanced Threat Protection**
    If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided. @@ -113,6 +114,17 @@ Use the search bar to look for specific timeline events. Harness the power of us Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. + +>[!NOTE] +> For firewall events to be displayed, you'll need to enable the audit policy, see [Audit Filtering Platform connection](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-filtering-platform-connection). +>Firewall covers the following events: +>- [5025](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5025) - firewall service stopped +>- [5031](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5031) - application blocked from accepting incoming connections on the network +>- [5157](https://docs.microsoft.com/windows/security/threat-protection/auditing/event-5157) - blocked connection + + + + - **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: - Logon users - System diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index c7a8ba2be1..7850ace854 100644 --- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Investigate a user account in Windows Defender ATP description: Investigate a user account for potential compromised credentials or pivot on the associated user account during an investigation. keywords: investigate, account, user, user entity, alert, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..066dac83dd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,80 @@ +--- +title: Is domain seen in org API +description: Use this API to create calls related to checking whether a domain was seen in the organization. +keywords: apis, graph api, supported apis, domain, domain seen +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 04/24/2018 +--- + +# Was domain seen in org +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Answers whether a domain was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Url.Read.All | 'Read URLs' +Delegated (work or school account) | URL.Read.All | 'Read URLs' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/domains/{domain} +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and domain exists - 200 OK. If domain does not exist - 404 Not Found. + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +GET https://api.securitycenter.windows.com/api/domains/example.com +Content-type: application/json +``` + +**Response** + +Here is an example of the response. + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Domains/$entity", + "host": "example.com" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md index 3bda2052aa..6dee679614 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Is domain seen in org API description: Use this API to create calls related to checking whether a domain was seen in the organization. keywords: apis, graph api, supported apis, domain, domain seen search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,9 +14,14 @@ ms.localizationpriority: medium ms.date: 04/24/2018 --- -# Is domain seen in org +# Is domain seen in org (deprecated) Answers whether a domain was seen in the organization. +[!include[Deprecatedinformation](deprecate.md)] + + + + ## Permissions User needs read permissions. diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..fc6b531fc1 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,81 @@ +--- +title: Is IP seen in org API +description: Answers whether an IP was seen in the organization. +keywords: apis, graph api, supported apis, is, ip, seen, org, organization +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Was IP seen in org +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] + +Answers whether an IP was seen in the organization. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ip.Read.All | 'Read IP address profiles' +Delegated (work or school account) | Ip.Read.All | 'Read IP address profiles' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +GET /api/ips/{ip} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. + + +## Request body +Empty + +## Response +If successful and IP exists - 200 OK. If IP do not exist - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +``` +GET https://api.securitycenter.windows.com/api/ips/10.209.67.177 +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Ips/$entity", + "id": "10.209.67.177" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md index 0e5cdd372b..42887d7fa8 100644 --- a/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Is IP seen in org API description: Answers whether an IP was seen in the organization. keywords: apis, graph api, supported apis, is, ip, seen, org, organization search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Is IP seen in org +# Is IP seen in org (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Answers whether an IP was seen in the organization. diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..696d961f94 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,108 @@ +--- +title: Isolate machine API +description: Use this API to create calls related isolating a machine. +keywords: apis, graph api, supported apis, isolate machine +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Isolate machine API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Isolates a machine from accessing external network. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' +Delegated (work or school account) | Machine.Isolate | 'Isolate machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/isolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'. + +**IsolationType** controls the type of isolation to perform and can be one of the following: +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network) for more details) + + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/isolate +Content-type: application/json +{ + "Comment": "Isolate machine due to alert 1234", + “IsolationType”: “Full” +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "b89eb834-4578-496c-8be0-03f004061435", + "type": "Isolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Isolate machine due to alert 1234", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "lastUpdateTimeUtc": "2017-12-04T12:12:18.9725659Z", + "relatedFileInfo": null +} + +``` + +To unisolate a machine, see [Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md). diff --git a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md index 8a1af5560e..c7b6c877d3 100644 --- a/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Isolate machine API description: Use this API to create calls related isolating a machine. keywords: apis, graph api, supported apis, isolate machine search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Isolate machine API +# Isolate machine API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Isolates a machine from accessing external network. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index c2460df138..3e8115cdf3 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Validate licensing provisioning and complete Windows Defender ATP set up description: Validating licensing provisioning, setting up initial preferences, and completing the user set up for Windows Defender Advanced Threat Protection portal. keywords: license, licensing, account, set up, validating licensing, windows defender atp search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 10/16/2017 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md index 2969a1b1a1..4f1279bc34 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create and manage machine groups in Windows Defender ATP description: Create machine groups and set automated remediation levels on them by confiring the rules that apply on the group keywords: machine groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -19,7 +20,7 @@ ms.date: 05/08/2018 - Azure Active Directory - Office 365 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -61,7 +62,7 @@ As part of the process of creating a machine group, you'll: - **Members** >[!TIP] - >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). + >If you want to group machines by organizational unit, you can configure the registry key for the group affiliation. For more information on device tagging, see [Manage machine group and tags](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection#manage-machine-group-and-tags). 4. Preview several machines that will be matched by this rule. If you are satisfied with the rule, click the **Access** tab. @@ -88,4 +89,5 @@ Machines that are not matched to any groups are added to Ungrouped machines (def ## Related topic -- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) \ No newline at end of file +- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md) +- [Get list of tenant machine groups using Graph API](get-machinegroups-collection-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md index eb5a096cf1..b6fc180e59 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create and manage machine tags description: Use machine tags to group machines to capture context and enable dynamic list creation as part of an incident keywords: tags, machine tags, machine groups, groups, remediation, level, rules, aad group, role, assign, rank search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -47,7 +48,7 @@ Use the following registry key entry to add a tag on a machine: - Registry key value (string): Group >[!NOTE] ->The device tag is part of the machine information report thats generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. +>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. ## Add machine tags using the portal diff --git a/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..4d6a156ac0 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,48 @@ +--- +title: Machine resource type +description: Retrieves top machines +keywords: apis, supported apis, get, machines +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 11/11/2018 +--- + +# Machine resource type + + +# Methods +Method|Return Type |Description +:---|:---|:--- +[List machines](get-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List set of [machine](machine-windows-defender-advanced-threat-protection-new.md) entities in the org. +[Get machine](get-machine-by-id-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Get a [machine](machine-windows-defender-advanced-threat-protection-new.md) by its identity. +[Get logged on users](get-machine-log-on-users-windows-defender-advanced-threat-protection-new.md) | [user](user-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [User](user-windows-defender-advanced-threat-protection-new.md) that logged on to the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | Get the set of [alert](alerts-windows-defender-advanced-threat-protection-new.md) entities that were raised on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Add or Remove machine tags](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) | Add or Remove tag to a specific machine. +[Find machines by IP](find-machines-by-ip-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | Find machines seen with IP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) identity. +computerDnsName | String | [machine](machine-windows-defender-advanced-threat-protection-new.md) fully qualified name. +firstSeen | DateTimeOffset | First date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +lastSeen | DateTimeOffset | Last date and time where the [machine](machine-windows-defender-advanced-threat-protection-new.md) was observed by WDATP. +osPlatform | String | OS platform. +osVersion | String | OS Version. +lastIpAddress | String | Last IP on local NIC on the [machine](machine-windows-defender-advanced-threat-protection-new.md). +lastExternalIpAddress | String | Last IP through which the [machine](machine-windows-defender-advanced-threat-protection-new.md) accessed the internet. +agentVersion | String | Version of WDATP agent. +osBuild | Nullable long | OS build number. +healthStatus | Enum | [machine](machine-windows-defender-advanced-threat-protection-new.md) health status. Possible values are: "Active", "Inactive", "ImpairedCommunication", "NoSensorData" and "NoSensorDataImpairedCommunication" +rbacGroupId | Int | RBAC Group ID. +rbacGroupName | String | RBAC Group Name. +riskScore | Nullable Enum | Risk score as evaluated by WDATP. Possible values are: 'None', 'Low', 'Medium' and 'High'. +isAadJoined | Nullable Boolean | Is [machine](machine-windows-defender-advanced-threat-protection-new.md) AAD joined. +aadDeviceId | Nullable Guid | AAD Device ID (when [machine](machine-windows-defender-advanced-threat-protection-new.md) is Aad Joined). +machineTags | String collection | Set of [machine](machine-windows-defender-advanced-threat-protection-new.md) tags. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..580d9cd88b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineaction-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,48 @@ +--- +title: machineAction resource type +description: Retrieves top recent machineActions. +keywords: apis, supported apis, get, machineaction, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# MachineAction resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List MachineActions](get-machineactions-collection-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | List [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entities. +[Get MachineAction](get-machineaction-object-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get a single [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +[Collect investigation package](collect-investigation-package-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Collect investigation package from a [machine](machine-windows-defender-advanced-threat-protection-new.md). +[Get investigation package SAS URI](get-package-sas-uri-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Get URI for downloading the investigation package. +[Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Isolate [machine](machine-windows-defender-advanced-threat-protection-new.md) from network. +[Release machine from isolation](unisolate-machine-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Release [machine](machine-windows-defender-advanced-threat-protection-new.md) from Isolation. +[Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Restrict application execution. +[Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Remove application execution restriction. +[Run antivirus scan](run-av-scan-windows-defender-advanced-threat-protection-new.md) | [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Run an AV scan using Windows Defender (when applicable). +[Offboard machine](offboard-machine-api-windows-defender-advanced-threat-protection-new.md)|[Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) | Offboard [machine](machine-windows-defender-advanced-threat-protection-new.md) from WDATP. + +# Properties +Property | Type | Description +:---|:---|:--- +id | Guid | Identity of the [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) entity. +type | Enum | Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution" +requestor | String | Identity of the person that executed the action. +requestorComment | String | Comment that was written when issuing the action. +status | Enum | Current status of the command. Possible values are: "Pending", "InProgress", "Succeeded", "Failed", "TimeOut" and "Cancelled". +machineId | String | Id of the machine on which the action was executed. +creationDateTimeUtc | DateTimeOffset | The date and time when the action was created. +lastUpdateTimeUtc | DateTimeOffset | The last date and time when the action status was updated. +relatedFileInfo | Class | Contains two Properties. 1) string 'fileIdentifier' 2) Enum 'fileIdentifierType' with the possible values: "Sha1" ,"Sha256" and "Md5". + diff --git a/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md new file mode 100644 index 0000000000..fcbd68ecec --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/machineactionsnote.md @@ -0,0 +1,6 @@ +--- +ms.date: 08/28/2017 +author: zavidor +--- +>[!Note] +> This page focuses on performing a machine action via API. See [take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information about response actions functionality via WDATP. diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index d75eefe80b..71992afbff 100644 --- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: View and organize the Windows Defender ATP machines list description: Learn about the available features that you can use from the Machines list such as sorting, filtering, and exporting the list to enhance investigations. keywords: sort, filter, export, csv, machine name, domain, last seen, internal IP, health state, active alerts, active malware detections, threat category, review alerts, network, connection, malware, type, password stealer, ransomware, exploit, threat, general malware, unwanted software search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 09/03/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-machinesview-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 00142f3502..352b56b258 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage Windows Defender Advanced Threat Protection alerts description: Change the status of alerts, create suppression rules to hide alerts, submit comments, and review change history for individual alerts with the Manage Alert menu. keywords: manage alerts, manage, alerts, status, new, in progress, resolved, resolve alerts, suppress, supression, rules, context, history, comments, changes search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/03/2018 # Manage Windows Defender Advanced Threat Protection alerts **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-managealerts-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md index a5df326a4d..357ef56c3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-auto-investigation-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Learn about the automated investigations dashboard in Windows Defender Se description: View the list of automated investigations, its status, detection source and other details. keywords: autoir, automated, investigation, detection, dashboard, source, threat types, id, tags, machines, duration, filter export search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md index 46adcfac19..3f276fd070 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage automation allowed/blocked lists description: Create lists that control what items are automatically blocked or allowed during an automatic investigation. keywords: manage, automation, whitelist, blacklist, block, clean, malicious search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 06/14/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md index 9a359aaabc..99572285a6 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage automation file uploads description: Enable content analysis and configure the file extension and email attachment extensions that will be sumitted for analysis keywords: automation, file, uploads, content, analysis, file, extension, email, attachment search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md index d3ed61a295..d078349bb4 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage automation folder exclusions description: Add automation folder exclusions to control the files that are excluded from an automated investigation. keywords: manage, automation, exclusion, whitelist, blacklist, block, clean, malicious search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md index 97ff8bd046..5252fa2868 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-edr.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md @@ -3,6 +3,7 @@ title: Manage endpoint detection and response capabilities description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md new file mode 100644 index 0000000000..83a65ee991 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md @@ -0,0 +1,62 @@ +--- +title: Manage Windows Defender ATP incidents +description: Manage incidents by assigning it, updating its status, or setting its classification. +keywords: incidents, manage, assign, status, classification, true alert, false alert +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 010/08/2018 +--- + +# Manage Windows Defender ATP incidents + +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + + +Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. + +![Image of the incidents management pane](images/atp-incidents-mgt-pane.png) + +Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details. + +![Image of incident detail page](images/atp-incident-details-page.png) + + +## Assign incidents +If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it. + +## Change the incident status +You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents. + +For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation. + +Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated. + +## Classify the incident +You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them. + +## Rename incident +By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification. + +![Image of incident renaming](images/atp-rename-incident.png) + +## Add comments and view the history of an incident +You can add comments and view historical events about an incident to see previous changes made to it. + +Whenever a change or comment is made to an alert, it is recorded in the Comments and history section. + +Added comments instantly appear on the pane. + +## Related topics +- [Incidents queue](incidents-queue.md) +- [View and organize the Incidents queue](view-incidents-queue.md) +- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md index 1fa0357ade..7154f763fb 100644 --- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Manage Windows Defender Advanced Threat Protection suppression rules description: Manage suppression rules keywords: manage suppression, rules, rule name, scope, action, alerts, turn on, turn off search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md index 2e0966140c..0837b7356d 100644 --- a/windows/security/threat-protection/windows-defender-atp/management-apis.md +++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md @@ -3,6 +3,7 @@ title: Overview of management and APIs description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/03/2018 # Overview of management and APIs **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mgt-apis-abovefoldlink) @@ -42,6 +43,17 @@ An important aspect of machine management is the ability to analyze the environm - The Secure score dashboard provides metrics based method of prioritizing the most important proactive security measures. - Windows Defender ATP includes a built-in PowerBI based reporting solution to quickly review trends and details related to Windows Defender ATP alerts and secure score of machines. The platform also supports full customization of the reports, including mashing of Windows Defender ATP data with your own data stream to produce business specific reports. + +## In this section +Topic | Description +:---|:--- +Understand threat intelligence concepts | Learn about alert definitions, indicators of compromise, and other threat intelligence concepts. +Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. +Managed security service provider | Get a quick overview on managed security service provider support. + + + + ## Related topics - [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md) - [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md index 77af2ccba3..ba9be2d111 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md @@ -3,6 +3,7 @@ title: Configure Microsoft Cloud App Security integration description: Learn how to turn on the settings to enable the Windows Defender ATP integration with Microsoft Cloud App Security. keywords: cloud, app, security, settings, integration, discovery, report search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,19 +11,23 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/19/2018 --- -# Configure Microsoft Cloud App Security integration +# Configure Microsoft Cloud App Security in Windows **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] +[!include[Prerelease�information](prerelease.md)] To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration. + +>[!NOTE] +>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. + 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. @@ -52,7 +57,7 @@ Notice the new **Machines** tab that allows you to view the data split to the de ![Cloud discovery](./images/cloud-discovery.png) -For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps). +For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). If you are interested in trying Microsoft Cloud App Security, see [Microsoft Cloud App Security Trial](https://signup.microsoft.com/Signup?OfferId=757c4c34-d589-46e4-9579-120bba5c92ed&ali=1). diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md index 4b4962140d..12da630b32 100644 --- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md @@ -1,8 +1,9 @@ --- title: Microsoft Cloud App Security integration overview -description: -keywords: +description: Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage +keywords: cloud, app, networking, visibility, usage search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,17 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/18/2018 --- -# Microsoft Cloud App Security integration overview +# Microsoft Cloud App Security in Windows overview **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] +[!include[Prerelease�information](prerelease.md)] Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security). +>[!NOTE] +>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later. + ## Windows Defender ATP and Cloud App Security integration Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity. @@ -33,7 +37,7 @@ The integration provides the following major improvements to the existing Cloud - Device context - Cloud traffic logs lack device context. Windows Defender ATP network activity is reported with the device context (which device accessed the cloud app), so you are able to understand exactly where (device) the network activity took place, in addition to who (user) performed it. -For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/en-us/cloud-app-security/discovered-apps). +For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 84f62905aa..09f32289a1 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Minimum requirements for Windows Defender ATP description: Minimum network and data storage configuration, machine hardware and software requirements, and deployment channel requirements for Windows Defender ATP. keywords: minimum requirements, Windows Defender Advanced Threat Protection minimum requirements, network and data storage, machine configuration, deployment channel search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,18 +11,23 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +ms.date: 11/20/2018 --- # Minimum requirements for Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) There are some minimum requirements for onboarding machines to the service. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-minreqs-abovefoldlink) + +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + ## Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: @@ -29,7 +35,10 @@ Windows Defender Advanced Threat Protection requires one of the following Micros - Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 -For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). +For more information on the array of features in Windows 10 editions, see [Compare Windows 10 editions](https://www.microsoft.com/en-us/windowsforbusiness/compare). + +For a detailed comparison table of Windows 10 commercial edition comparison, see the [comparison PDF](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md index 0ec05caa9c..71a710869a 100644 --- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Managed security service provider (MSSP) support description: Understand how Windows Defender ATP integrates with managed security service providers (MSSP) keywords: mssp, integration, managed, security, service, provider search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,17 +11,17 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Managed security service provider support **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink) -[!include[Prereleaseinformation](prerelease.md)] + Security is recognized as a key component in running an enterprise, however some organizations might not have the capacity or expertise to have a dedicated security operations team to manage the security of their endpoints and network, others may want to have a second set of eyes to review alerts in their network. diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0200975d55 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machine-api-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,98 @@ +--- +title: Offboard machine API +description: Use this API to offboard a machine from WDATP. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Offboard machine API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Offboard machine from WDATP. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Offboard | 'Offboard machine' +Delegated (work or school account) | Machine.Offboard | 'Offboard machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to 'Global Admin' AD role +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/offboard +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/offboard +Content-type: application/json +{ + "Comment": "Offboard machine by automation" +} +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "c9042f9b-8483-4526-87b5-35e4c2532223", + "type": "OffboardMachine", + "requestor": "Analyst@contoso.com", + "requestorComment": "offboard machine by automation", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "lastUpdateTimeUtc": "2018-12-04T12:09:24.1785079Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md index af9a42584f..17bba254f9 100644 --- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Offboard machines from the Windows Defender ATP service description: Onboard Windows 10 machines, servers, non-Windows machines from the Windows Defender ATP service keywords: offboarding, windows defender advanced threat protection offboarding, windows atp offboarding search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -20,7 +21,7 @@ ms.date: 04/24/2018 - Linux - Windows Server 2012 R2 - Windows Server 2016 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md index 34c07f0734..3dd7d4940d 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard machines to the Windows Defender ATP service description: Onboard Windows 10 machines, servers, non-Windows machines and learn how to run a detection test. keywords: onboarding, windows defender advanced threat protection onboarding, windows atp onboarding, sccm, group policy, mdm, local script, detection test search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 07/01/2018 +ms.date: 11/19/2018 --- # Onboard machines to the Windows Defender ATP service **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You need to turn on the sensor to give visibility within Windows Defender ATP. @@ -41,7 +42,7 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us - Windows 7 SP1 Pro - Windows 8.1 Enterprise - Windows 8.1 Pro -- Windows 10 +- Windows 10, version 1607 or later - Windows 10 Enterprise - Windows 10 Education - Windows 10 Pro @@ -49,7 +50,8 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us - Windows server - Windows Server 2012 R2 - Windows Server 2016 - - Windows Server, version 1803 + - Windows Server 2016, version 1803 + - Windows Server 2019 Machines on your network must be running one of these editions. @@ -64,7 +66,7 @@ The hardware requirements for Windows Defender ATP on machines is the same as th - Linux >[!NOTE] ->You'll need to know the exact Linux distros and macOS X versions that are compatible with Windows Defender ATP for the integration to work. +>You'll need to know the exact Linux distros and macOS versions that are compatible with Windows Defender ATP for the integration to work. ### Network and data storage and configuration requirements @@ -126,7 +128,7 @@ If the **START_TYPE** is not set to **AUTO_START**, then you'll need to set the #### Internet connectivity Internet connectivity on machines is required either directly or through proxy. -The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. +The Windows Defender ATP sensor can utilize a daily average bandwidth of 5MB to communicate with the Windows Defender ATP cloud service and report cyber data. One-off activities such as file uploads and investigation package collection are not included in this daily average bandwidth. For more information on additional proxy configuration settings see, [Configure machine proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . @@ -162,4 +164,4 @@ Topic | Description [Configure proxy and Internet settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)| Enable communication with the Windows Defender ATP cloud service by configuring the proxy and Internet connectivity settings. [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) | Learn about resolving issues that might arise during onboarding. ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) \ No newline at end of file +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 1428a1b310..4fdcb667bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Onboard previous versions of Windows on Windows Defender ATP description: Onboard supported previous versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor keywords: onboard, windows, 7, 81, oms, sp1, enterprise, pro, down level search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 06/18/2018 +ms.date: 11/19/2018 --- # Onboard previous versions of Windows @@ -21,7 +22,7 @@ ms.date: 06/18/2018 - Windows 7 SP1 Pro - Windows 8.1 Pro - Windows 8.1 Enterprise -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) [!include[Prerelease information](prerelease.md)] @@ -43,24 +44,30 @@ To onboard down-level Windows client endpoints to Windows Defender ATP, you'll n Windows Defender ATP integrates with System Center Endpoint Protection to provide visibility to malware detections and to stop propagation of an attack in your organization by banning potentially malicious files or suspected malware. The following steps are required to enable this integration: -- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/en-us/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) +- Install the [January 2017 anti-malware platform update for Endpoint Protection clients](https://support.microsoft.com/help/3209361/january-2017-anti-malware-platform-update-for-endpoint-protection-clie) - Configure the SCEP client Cloud Protection Service membership to the **Advanced** setting +- Configure your network to allow connections to the Windows Defender Antivirus cloud. For more information, see [Allow connections to the Windows Defender Antivirus cloud](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus#allow-connections-to-the-windows-defender-antivirus-cloud) ## Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP ### Before you begin Review the following details to verify minimum system requirements: -- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) +- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) >[!NOTE] >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - - >[!NOTE] - >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. -- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) +- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) + + >[NOTE] + >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. + >Don't install .NET framework 4.0.x, since it will negate the above installation. + +- Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in you environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites) + + 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604). @@ -72,7 +79,7 @@ Review the following details to verify minimum system requirements: 3. Using the Workspace ID and Workspace key choose any of the following installation methods to install the agent: - Manually install the agent using setup
    On the **Agent Setup Options** page, select **Connect the agent to Azure Log Analytics (OMS)** - - [Install the agent using command line](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script) + - [Install the agent using command line](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#install-the-agent-using-the-command-line) and [configure the agent using a script](https://docs.microsoft.com/azure/log-analytics/log-analytics-agent-windows#add-a-workspace-using-a-script) 4. If you're using a proxy to connect to the Internet see the Configure proxy settings section. diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md index 39ee66db3c..eff2042b2e 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard.md @@ -3,6 +3,7 @@ title: Configure and manage Windows Defender ATP capabilities description: Configure and manage Windows Defender ATP capabilities such as attack surface reduction, next generation protection, and security controls keywords: configure, manage, capabilities, attack surface reduction, next generation protection, security controls, endpoint detection and response, auto investigation and remediation, security controls, controls search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -14,6 +15,9 @@ ms.date: 09/03/2018 --- # Configure and manage Windows Defender ATP capabilities +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. @@ -24,7 +28,7 @@ Topic | Description [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) | By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization. -Configure Microsoft threat protection integration| Configure other solutions that integrate with Windows Defender ATP. +Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Windows Defender ATP. Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md index 98d08c46d6..fdd308623f 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md @@ -3,6 +3,7 @@ title: Overview of attack surface reduction description: Learn about the attack surface reduction capability in Windows Defender ATP keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 07/01/2018 # Overview of attack surface reduction **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Attack surface reduction capabilities in Windows Defender ATP helps protect the devices and applications in your organization from new and emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md index 9b2912076d..de0be3f887 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md @@ -3,6 +3,7 @@ title: Custom detections overview description: Understand how how you can leverage the power of advanced hunting to create custom detections keywords: custom detections, detections, advanced hunting, hunt, detect, query search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,15 +11,14 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Custom detections overview **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] Alerts in Windows Defender ATP are surfaced through the system based on signals gathered from endpoints. With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md index 31b65ba716..ae60213fe2 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md @@ -3,6 +3,7 @@ title: Overview of endpoint detection and response capabilities description: Learn about the endpoint detection and response capabilities in Windows Defender ATP keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,10 +17,10 @@ ms.date: 09/03/2018 # Overview of endpoint detection and response **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -The Widows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. +The Windows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat. When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md index 9d8cdabaae..99b9d8721c 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md @@ -1,6 +1,7 @@ --- title: Hardware-based isolation (Windows 10) description: Learn about how hardware-based isolation in Windows 10 helps to combat malware. +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -13,7 +14,7 @@ ms.date: 09/07/2018 # Hardware-based isolation in Windows 10 -**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP) +**Applies to:** [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender ATP. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md index 598138a8ef..5bed487738 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md @@ -1,8 +1,9 @@ --- title: Overview of advanced hunting capabilities -description: Hunt for possible threats accross your organization using a powerful search and query tool +description: Hunt for possible threats across your organization using a powerful search and query tool keywords: advanced hunting, hunting, search, query, tool, intellisense, telemetry search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,7 +16,7 @@ ms.date: 09/12/2018 # Overview of advanced hunting **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Advanced hunting allows you to hunt for possible threats across your organization using a powerful search and query tool. You can also create custom detection rules based on the queries you created and surface alerts in Windows Defender Security Center. @@ -30,6 +31,7 @@ With advanced hunting, you can take advantage of the following capabilities: Topic | Description :---|:--- [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md) | Learn how to use the basic or advanced query examples to search for possible emerging threats in your organization. +[Custom detections](overview-custom-detections.md)| With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md index 222e5cfffa..7e3637ad4f 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Overview of Secure score in Windows Defender Security Center description: Expand your visibility into the overall security posture of your organization keywords: secure score, security controls, improvement opportunities, security score over time, score, posture, baseline search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,7 +16,7 @@ ms.date: 09/03/2018 # Overview of Secure score in Windows Defender Security Center **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. @@ -74,3 +75,4 @@ Clicking the link under the Misconfigured machines column opens up the **Machine ## Related topic - [Threat analytics](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) +- [Threat analytics for Spectre and Meltdown](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md index 1277a549bf..83c00ed68b 100644 --- a/windows/security/threat-protection/windows-defender-atp/overview.md +++ b/windows/security/threat-protection/windows-defender-atp/overview.md @@ -3,6 +3,7 @@ title: Overview of Windows Defender ATP description: keywords: search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,20 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/20/2018 --- # Overview of Windows Defender ATP capabilities +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + ## In this section Topic | Description @@ -24,11 +32,11 @@ Topic | Description [Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization. [Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers. [Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats. -[Automated investigation and investigation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. +[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place. [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules. [Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows. -[Microsoft threat protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. +[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index aa1c10660e..562664aec0 100644 --- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Advanced Threat Protection portal overview description: Use Windows Defender Security Center to monitor your enterprise network and assist in responding to alerts to potential advanced persistent threat (APT) activity or data breaches. keywords: Windows Defender Security Center, portal, cybersecurity threat intelligence, dashboard, alerts queue, machines list, settings, machine management, advanced attacks search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # Windows Defender Advanced Threat Protection portal overview **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..1a2575ea36 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/post-ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,115 @@ +--- +title: Submit or Update Ti Indicator API +description: Use this API to submit or Update Ti Indicator. +keywords: apis, graph api, supported apis, submit, ti, ti indicator, update +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Submit or Update TI Indicator API + +[!include[Prerelease information](prerelease.md)] + +>[!Note] +> Currently this API is supported only for AppOnly context requests. (See [Get access without a user](exposed-apis-create-app-webapp.md) for more information) + + +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +- Submits or Updates new [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Ti.ReadWrite | 'Read and write TI Indicators' + + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/tiindicators +``` + +[!include[Improve request performance](improverequestperformance-new.md)] + + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. **Required** +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url". **Required** +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed". **Required** +title | String | TI indicator alert title. **Optional** +expirationTime | DateTimeOffset | The expiration time of the indicator. **Optional** +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High". **Optional** +description | String | Description of the indicator. **Optional** +recommendedActions | String | TI indicator alert recommended actions. **Optional** + + +## Response +- If successful, this method returns 200 - OK response code and the created / updated [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity in the response body. +- If not successful: this method return 400 - Bad Request / 409 - Conflict with the failure reason. Bad request usually indicates incorrect body and Conflict can happen if you try to submit a TI Indicator with existing indicator value but with different Indicator type or Action. + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/tiindicators +Content-type: application/json +{ + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 200 OK +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "indicator": "220e7d15b0b3d7fac48f2bd61114db1022197f7f", + "indicatorType": "FileSha1", + "title": "test", + "creationTimeDateTimeUtc": "2018-10-24T10:54:23.2009016Z", + "createdBy": "45097602-1234-5678-1234-9f453233e62c", + "expirationTime": "2020-12-12T00:00:00Z", + "action": "AlertAndBlock", + "severity": "Informational", + "description": "test", + "recommendedActions": "TEST" +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md index 269e894610..7454693217 100644 --- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md @@ -3,20 +3,27 @@ title: Create and build Power BI reports using Windows Defender ATP data description: Get security insights by creating and building Power BI dashboards using data from Windows Defender ATP and other data sources. keywords: settings, power bi, power bi service, power bi desktop, reports, dashboards, connectors , security insights, mashup search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 11/26/2018 --- + + # Create and build Power BI reports using Windows Defender ATP data **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Prerelease information](prerelease.md)] + +>[!TIP] +>Go to **Advanced features** in the **Settings** page to turn on the preview features. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-powerbireports-abovefoldlink) @@ -122,7 +129,9 @@ You can create a custom dashboard in Power BI Desktop to create visualizations t ### Before you begin 1. Make sure you use Power BI Desktop June 2017 and above. [Download the latest version](https://powerbi.microsoft.com/en-us/desktop/). -2. In the navigation pane, select **Settings** > **Power BI reports**. +2. In the Windows Defender Security Center navigation pane, select **Settings** > **Power BI reports**. + + ![Image of settings Power BI reports](images/atp-settings-powerbi.png) 3. Click **Download connector** to download the WDATPPowerBI.zip file and extract it. @@ -195,5 +204,10 @@ There are a couple of tabs on the report that's generated: In general, if you know of a specific threat name, CVE, or KB, you can identify machines with unpatched vulnerabilities that might be leveraged by threats. This report also helps you determine whether machine-level mitigations are configured correctly on the machines and prioritize those that might need attention. +## Related topic +- [**Beta** Create custom Power BI reports](run-advanced-query-sample-power-bi-app-token.md) + + + diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md index 538450ea18..545da6110c 100644 --- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: PowerShell code examples for the custom threat intelligence API description: Use PowerShell code to create custom threat intelligence using REST API. keywords: powershell, code examples, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # PowerShell code examples for the custom threat intelligence API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index 76c28f6e1f..d408ead55e 100644 --- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Configure Windows Defender Security Center settings description: Use the settings page to configure general settings, permissions, apis, and rules. keywords: settings, general settings, permissions, apis, rules search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,7 +16,7 @@ ms.date: 04/24/2018 # Configure Windows Defender Security Center settings **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-prefsettings-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md index a295925903..a3411e8a2a 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Turn on the preview experience in Windows Defender ATP description: Turn on the preview experience in Windows Defender Advanced Threat Protection to try upcoming features. keywords: advanced features, settings, block file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,7 +16,7 @@ ms.date: 04/24/2018 # Turn on the preview experience in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 3eab3eda81..f0d5d23e2f 100644 --- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender ATP preview features description: Learn how to access Windows Defender Advanced Threat Protection preview features. keywords: preview, preview experience, Windows Defender Advanced Threat Protection, features, updates search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 12/03/2018 --- # Windows Defender ATP preview features **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -38,20 +39,13 @@ Turn on the preview experience setting to be among the first to try upcoming fea ## Preview features The following features are included in the preview release: -- [Threat analytics](threat-analytics.md)
    -Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - -- [Custom detection](overview-custom-detections.md)
    - With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. +- [Information protection](information-protection-in-windows-overview.md)
    +Windows Defender ATP is seamlessly integrated in Microsoft Threat Protection to provide a complete and comprehensive data loss prevention (DLP) solution for Windows devices. This solution is delivered and managed as part of the unified Microsoft 365 information protection suite. -- [Managed security service provider (MSSP) support](mssp-support-windows-defender-advanced-threat-protection.md)
    -Windows Defender ATP adds support for this scenario by providing MSSP integration. -The integration will allow MSSPs to take the following actions: -Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Incidents](incidents-queue.md)
    +Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network. -- [Integration with Azure Security Center](configure-server-endpoints-windows-defender-advanced-threat-protection.md#integration-with-azure-security-center)
    -Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. - [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
    Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. @@ -68,5 +62,9 @@ Onboard supported versions of Windows machines so that they can send sensor data - Windows 8.1 Pro +- [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
    +Windows Defender ATP makes it easy to create a Power BI dashboard by providing an option straight from the portal. + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-preview-belowfoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md index 58f784e646..22404be54a 100644 --- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Pull Windows Defender ATP alerts using REST API description: Pull alerts from Windows Defender ATP REST API. keywords: alerts, pull alerts, rest api, request, response search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 11/19/2018 --- # Pull Windows Defender ATP alerts using REST API **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -40,6 +41,9 @@ The _Client credential flow_ uses client credentials to authenticate against the Use the following method in the Windows Defender ATP API to pull alerts in JSON format. +>[!NOTE] +>Windows Defender Security Center merges similar alert detections into a single alert. This API pulls alert detections in its raw form based on the query parameters you set, enabling you to apply your own grouping and filtering. + ## Before you begin - Before calling the Windows Defender ATP endpoint to pull alerts, you'll need to enable the SIEM integration application in Azure Active Directory (AAD). For more information, see [Enable SIEM integration in Windows Defender ATP](enable-siem-integration-windows-defender-advanced-threat-protection.md). @@ -69,7 +73,7 @@ The response will include an access token and expiry information. ```json { "token_type": "Bearer", - "expires_in": "3599" + "expires_in": "3599", "ext_expires_in": "0", "expires_on": "1488720683", "not_before": "1488720683", @@ -94,7 +98,7 @@ Authorization | string | Required. The Azure AD access token in the form **Beare ### Request parameters -Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization. +Use optional query parameters to specify and control the amount of data returned in a response. If you call this method without parameters, the response contains all the alerts in your organization in the last 2 hours. Name | Value| Description :---|:---|:--- @@ -102,6 +106,9 @@ DateTime?sinceTimeUtc | string | Defines the lower time bound alerts are retriev DateTime?untilTimeUtc | string | Defines the upper time bound alerts are retrieved.
    The time range will be: from `sinceTimeUtc` time to `untilTimeUtc` time.

    **NOTE**: When not specified, the default value will be the current time. string ago | string | Pulls alerts in the following time range: from `(current_time - ago)` time to `current_time` time.

    Value should be set according to **ISO 8601** duration format
    E.g. `ago=PT10M` will pull alerts received in the last 10 minutes. int?limit | int | Defines the number of alerts to be retrieved. Most recent alerts will be retrieved based on the number defined.

    **NOTE**: When not specified, all alerts available in the time range will be retrieved. +machinegroups | String | Specifies machine groups to pull alerts from.

    **NOTE**: When not specified, alerts from all machine groups will be retrieved.

    Example:

    ```https://wdatp-alertexporter-eu.securitycenter.windows.com/api/Alerts/?machinegroups=UKMachines&machinegroups=FranceMachines``` +DeviceCreatedMachineTags | string | Single machine tag from the registry. +CloudCreatedMachineTags | string | Machine tags that were created in Windows Defender Security Center. ### Request example The following example demonstrates how to retrieve all the alerts in your organization. diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md index f84794a823..57d3428cbc 100644 --- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Python code examples for the custom threat intelligence API description: Use Python code to create custom threat intelligence using REST API. keywords: python, code examples, threat intelligence, custom threat intelligence, rest api, api search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 04/24/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md index 20e2299d14..bc2837f2bb 100644 --- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use role-based access control to grant fine-grained access to Windows Def description: Create roles and groups within your security operations to grant access to the portal. keywords: rbac, role, based, access, control, groups, control, tier, aad search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -17,7 +18,7 @@ ms.date: 05/08/2018 **Applies to:** - Azure Active Directory - Office 365 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-rbac-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md index 5e12dabe3d..94706ede5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Request sample API description: Use this API to create calls related to requesting a sample from a machine. keywords: apis, graph api, supported apis, request sample search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Request sample API +# Request sample API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Request sample of a file from a specific machine. File will be collected from the machine and uploaded to a secure storage. diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md index 148d0a9793..e6e881df90 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Take response actions on a file in Windows Defender ATP description: Take response actions on file related alerts by stopping and quarantining a file or blocking a file and checking activity details. keywords: respond, stop and quarantine, block file, deep analysis search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # Take response actions on a file **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md index 064fb37360..b684069aa8 100644 --- a/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Take response actions on a machine in Windows Defender ATP description: Take response actions on a machine such as isolating machines, collecting an investigation package, managing tags, running av scan, and restricting app execution. keywords: respond, isolate, isolate machine, collect investigation package, action center, restrict, manage tags, av scan, restrict app search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 12/12/2017 +ms.date: 11/28/2018 --- # Take response actions on a machine **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-respondmachine-abovefoldlink) @@ -121,7 +122,8 @@ In addition to the ability of containing an attack by stopping malicious process >[!IMPORTANT] > - This action is available for machines on Windows 10, version 1709 or later. -> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). +> - This feature is available if your organization uses Windows Defender Antivirus. +> - This action needs to meet the Windows Defender Application Control code integrity policy formats and signing requirements. For more information, see [Code integrity policy formats and signing](https://docs.microsoft.com/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard#code-integrity-policy-formats-and-signing). The action to restrict an application from running applies a code integrity policy that only allows running of files that are signed by a Microsoft issued certificate. This method of restriction can help prevent an attacker from controlling compromised machines and performing further malicious activities. @@ -181,7 +183,7 @@ Depending on the severity of the attack and the sensitivity of the machine, you This machine isolation feature disconnects the compromised machine from the network while retaining connectivity to the Windows Defender ATP service, which continues to monitor the machine. -On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity. +On Windows 10, version 1709 or later, you'll have additional control over the network isolation level. You can also choose to enable Outlook and Skype for Business connectivity (a.k.a 'Selective Isolation'). >[!NOTE] >You’ll be able to reconnect the machine back to the network at any time. @@ -197,7 +199,7 @@ On Windows 10, version 1709 or later, you'll have additional control over the ne ![Image of isolate machine](images/atp-actions-isolate-machine.png) -3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated. +3. Select the check-box if you'd like to enable Outlook and Skype communication while the machine is isolated (a.k.a. 'Selective Isolation'). ![Image of isolation confirmation](images/atp-confirm-isolate.png) diff --git a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 5feacd51aa..202606d056 100644 --- a/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Take response actions on files and machines in Windows Defender ATP description: Take response actions on files and machines by stopping and quarantining files, blocking a file, isolating machines, or collecting an investigation package. keywords: respond, stop and quarantine, block file, deep analysis, isolate machine, collect investigation package, action center search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 11/12/2017 # Take response actions in Windows Defender ATP **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d57876fdc0 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,101 @@ +--- +title: Restrict app execution API +description: Use this API to create calls related to restricting an application from executing. +keywords: apis, graph api, supported apis, collect investigation package +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Restrict app execution API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Restrict execution of all applications on the machine except a predefined set (see [Response machine alerts](respond-machine-alerts-windows-defender-advanced-threat-protection.md) for more information) + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' +Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/restrictCodeExecution +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/restrictCodeExecution +Content-type: application/json +{ + "Comment": "Restrict code execution due to alert 1234" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "78d408d1-384c-4c19-8b57-ba39e378011a", + "type": "RestrictCodeExecution", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Restrict code execution due to alert 1234", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": null +} + +``` + +To remove code execution restriction from a machine, see [Remove app restriction](unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md index 985a82d123..1722b1f921 100644 --- a/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Restrict app execution API description: Use this API to create calls related to restricting an application from executing. keywords: apis, graph api, supported apis, collect investigation package search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,12 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Restrict app execution API +# Restrict app execution API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Restrict execution of set of predefined applications. diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md new file mode 100644 index 0000000000..8decfce57c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-api.md @@ -0,0 +1,151 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/03/2018 +--- + +# Advanced hunting API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prerelease information](prerelease.md)] + + + +This API allows you to run programmatic queries that you are used to running from [Windows Defender ATP Portal](https://securitycenter.windows.com/hunting). + + +## Limitations +This API is a beta version only and is currently restricted to the following actions: +1. ​You can only run a query on data from the last 30 days +2. The results will include a maximum of 10,000 rows +3. The number of executions is limited​ (up to 15 calls per minute, 15 minutes of running time every hour and 4 hours of running time a day) + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | AdvancedQuery.Read.All | 'Run advanced queries' +Delegated (work or school account) | AdvancedQuery.Read | 'Run advanced queries' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have 'Global Admin' AD role (note: will be updated soon to 'View Data') +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/advancedqueries/run +``` + +## Request headers + +Header | Value +:---|:--- +Authorization | Bearer {token}. **Required**. +Content-Type | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Query | Text | The query to run. **Required**. + +## Response +If successful, this method returns 200 OK, and _QueryResponse_ object in the response body. + + +## Example + +Request + +Here is an example of the request. + +>[!NOTE] +>For better performance, you can use server closer to your geo location: +> - api-us.securitycenter.windows.com +> - api-eu.securitycenter.windows.com +> - api-uk.securitycenter.windows.com + +``` +POST https://api.securitycenter.windows.com/api/advancedqueries/run +Content-type: application/json +{ + "Query":"ProcessCreationEvents +| where InitiatingProcessFileName =~ \"powershell.exe\" +| where ProcessCommandLine contains \"appdata\" +| project EventTime, FileName, InitiatingProcessFileName +| limit 2" +} +``` + +Response + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 200 OK +Content-Type: application/json​ +{ + "Schema": [{ + "Name": "EventTime", + "Type": "DateTime" + }, + { + "Name": "FileName", + "Type": "String" + }, + { + "Name": "InitiatingProcessFileName", + "Type": "String" + }], + "Results": [{ + "EventTime": "2018-07-09T07:16:26.8017265", + "FileName": "csc.exe", + "InitiatingProcessFileName": "powershell.exe" + }, + { + "EventTime": "2018-07-08T19:00:02.7798905", + "FileName": "gpresult.exe", + "InitiatingProcessFileName": "powershell.exe" + }] +} + + +``` + +## T​roubl​eshoot issues + +- Error: (403) Forbidden + + + If you get this error when calling Windows Defender ATP API, your token might not include the necessary permission. + + Check [app permissions](exposed-apis-create-app-webapp.md#validate-the-token) or [delegated permissions](exposed-apis-create-app-nativeapp.md#validate-the-token) included in your token. + + If the 'roles' section in the token does not include the necessary permission: + + - The necessary permission to your app might not have been granted. For more information, see [Access Windows Defender ATP without a user](exposed-apis-create-app-webapp.md#create-an-app) or [Access Windows Defender ATP on behalf of a user](exposed-apis-create-app-nativeapp.md#create-an-app) or, + - The app was not authorized in the tenant, see [Application consent](exposed-apis-create-app-webapp.md#application-consent). + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting from Portal](advanced-hunting-windows-defender-advanced-threat-protection.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md new file mode 100644 index 0000000000..d5e16fbf5a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-ms-flow.md @@ -0,0 +1,88 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/24/2018 +--- + +# Schedule Advanced Hunting using Microsoft Flow +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Schedule advanced query. + +## Before you begin +You first need to [create an app](apis-intro.md). + +## Use case + +A common scenario is scheduling an advanced query and using the results for follow up actions and processing. +In this section we share sample for this purpose using [Microsoft Flow](https://flow.microsoft.com/) (or [Logic Apps](https://azure.microsoft.com/en-us/services/logic-apps/)). + +## Define a flow to run query and parse results + +Use the following basic flow as an example. + +1. Define the trigger – Recurrence by time. + +2. Add an action: Select HTTP. + + ![Image of MsFlow choose an action](images/ms-flow-choose-action.png) + + - Set method to be POST + - Uri is https://api.securitycenter.windows.com/api/advancedqueries/run or one of the region specific locations + - US: https://api-us.securitycenter.windows.com/api/advancedqueries/run + - Europe: https://api-eu.securitycenter.windows.com/api/advancedqueries/run + - United Kingdom: https://api-uk.securitycenter.windows.com/api/advancedqueries/run + - Add the Header: Content-Type application/json + - In the body write your query surrounded by single quotation mark (') + - In the Advanced options select Authentication to be Active Directory OAuth + - Set the Tenant with proper AAD Tenant Id + - Audience is https://api.securitycenter.windows.com + - Client ID is your application ID + - Credential Type should be Secret + - Secret is the application secret generated in the Azure Active directory. + + ![Image of MsFlow define action](images/ms-flow-define-action.png) + +3. You can use the "Parse JSON" action to get the schema of data – just "use sample payload to generate schema" and copy an output from of the expected result. + + ![Image of MsFlow parse json](images/ms-flow-parse-json.png) + +## Expand the flow to use the query results + +The following section shows how to use the parsed results to insert them in SQL database. + +This is an example only, you can use other actions supported by Microsoft Flow. + +- Add an 'Apply to each' action +- Select the Results json (which was an output of the last parse action) +- Add an 'Insert row' action – you will need to supply the connection details +- Select the table you want to update and define the mapping between the WD-ATP output to the SQL. Note it is possible to manipulate the data inside the flow. In the example I changed the type of the EventTime. + +![Image of insert into DB](images/ms-flow-insert-db.png) + +The output in the SQL DB is getting updates and can be used for correlation with other data sources. You can now read from your table: + +![Image of select from DB](images/ms-flow-read-db.png) + +## Full flow definition + +You can find below the full definition + +![Image of E2E flow](images/ms-flow-e2e.png) + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md new file mode 100644 index 0000000000..ce6ccb012c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-app-token.md @@ -0,0 +1,134 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI (app authentication) + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using **application token**. + +If you want to use **user token** instead please refer to [this](run-advanced-query-sample-power-bi-user-token.md) tutorial. + +>**Prerequisite**: You first need to [create an app](exposed-apis-create-app-webapp.md). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of TenantId, AppId, AppSecret, Query + + ``` + let + + TenantId = "00000000-0000-0000-0000-000000000000", // Paste your own tenant ID here + AppId = "11111111-1111-1111-1111-111111111111", // Paste your own app ID here + AppSecret = "22222222-2222-2222-2222-222222222222", // Paste your own app secret here + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", // Paste your own query here + + ResourceAppIdUrl = "https://api.securitycenter.windows.com", + OAuthUrl = Text.Combine({"https://login.windows.net/", TenantId, "/oauth2/token"}, ""), + + Resource = Text.Combine({"resource", Uri.EscapeDataString(ResourceAppIdUrl)}, "="), + ClientId = Text.Combine({"client_id", AppId}, "="), + ClientSecret = Text.Combine({"client_secret", Uri.EscapeDataString(AppSecret)}, "="), + GrantType = Text.Combine({"grant_type", "client_credentials"}, "="), + + Body = Text.Combine({Resource, ClientId, ClientSecret, GrantType}, "&"), + + AuthResponse= Json.Document(Web.Contents(OAuthUrl, [Content=Text.ToBinary(Body)])), + AccessToken= AuthResponse[access_token], + Bearer = Text.Combine({"Bearer", AccessToken}, " "), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries/run", + + Response = Json.Document(Web.Contents( + AdvancedHuntingUrl, + [ + Headers = [#"Content-Type"="application/json", #"Accept"="application/json", #"Authorization"=Bearer], + Content=Json.FromValue([#"Query"=Query]) + ] + )), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Anonymous** and click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-anonymous.png) + +- Repeat the previous step for the second URL + +- Click **Continue** + + ![Image of edit data privacy](images/power-bi-edit-data-privacy.png) + +- Select the privacy level you want and click **Save** + + ![Image of set data privacy](images/power-bi-set-data-privacy.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with user authentication](run-advanced-query-sample-power-bi-user-token.md) +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md new file mode 100644 index 0000000000..b065578d98 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-power-bi-user-token.md @@ -0,0 +1,115 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Create custom reports using Power BI (user authentication) +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Run advanced queries and show results in Microsoft Power BI. Please read about [Advanced Hunting API](run-advanced-query-api.md) before. + +In this section we share Power BI query sample to run a query using **user token**. + +If you want to use **application token** instead please refer to [this](run-advanced-query-sample-power-bi-app-token.md) tutorial. + +## Before you begin +You first need to [create an app](exposed-apis-create-app-nativeapp.md). + +## Run a query + +- Open Microsoft Power BI + +- Click **Get Data** > **Blank Query** + + ![Image of create blank query](images/power-bi-create-blank-query.png) + +- Click **Advanced Editor** + + ![Image of open advanced editor](images/power-bi-open-advanced-editor.png) + +- Copy the below and paste it in the editor, after you update the values of Query + + ``` + let + + Query = "MachineInfo | where EventTime > ago(7d) | summarize EventCount=count(), LastSeen=max(EventTime) by MachineId", + + FormattedQuery= Uri.EscapeDataString(Query), + + AdvancedHuntingUrl = "https://api.securitycenter.windows.com/api/advancedqueries?key=" & FormattedQuery, + + Response = Json.Document(Web.Contents(AdvancedHuntingUrl)), + + TypeMap = #table( + { "Type", "PowerBiType" }, + { + { "Double", Double.Type }, + { "Int64", Int64.Type }, + { "Int32", Int32.Type }, + { "Int16", Int16.Type }, + { "UInt64", Number.Type }, + { "UInt32", Number.Type }, + { "UInt16", Number.Type }, + { "Byte", Byte.Type }, + { "Single", Single.Type }, + { "Decimal", Decimal.Type }, + { "TimeSpan", Duration.Type }, + { "DateTime", DateTimeZone.Type }, + { "String", Text.Type }, + { "Boolean", Logical.Type }, + { "SByte", Logical.Type }, + { "Guid", Text.Type } + }), + + Schema = Table.FromRecords(Response[Schema]), + TypedSchema = Table.Join(Table.SelectColumns(Schema, {"Name", "Type"}), {"Type"}, TypeMap , {"Type"}), + Results = Response[Results], + Rows = Table.FromRecords(Results, Schema[Name]), + Table = Table.TransformColumnTypes(Rows, Table.ToList(TypedSchema, (c) => {c{0}, c{2}})) + + in Table + + ``` + +- Click **Done** + + ![Image of create advanced query](images/power-bi-create-advanced-query.png) + +- Click **Edit Credentials** + + ![Image of edit credentials](images/power-bi-edit-credentials.png) + +- Select **Organizational account** > **Sign in** + + ![Image of set credentials](images/power-bi-set-credentials-organizational.png) + +- Enter your credentials and wait to be signed in + +- Click **Connect** + + ![Image of set credentials](images/power-bi-set-credentials-organizational-cont.png) + +- View the results of your query + + ![Image of query results](images/power-bi-query-results.png) + +## Related topic +- [Create custom Power BI reports with app authentication](run-advanced-query-sample-power-bi-app-token.md) +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md new file mode 100644 index 0000000000..76fa741ab6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-powershell.md @@ -0,0 +1,119 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 09/24/2018 +--- + +# Advanced Hunting using PowerShell +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + + +Run advanced queries using PowerShell, see [Advanced Hunting API](run-advanced-query-api.md). + +In this section we share PowerShell samples to retrieve a token and use it to run a query. + +## Before you begin +You first need to [create an app](apis-intro.md). + +## Preparation instructions + +- Open a PowerShell window. +- If your policy does not allow you to run the PowerShell commands, you can run the below command: +``` +Set-ExecutionPolicy -ExecutionPolicy Bypass +``` + +>For more details, see [PowerShell documentation](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy) + +## Get token + +- Run the following: + +``` +$tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +$appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +$appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here + +$resourceAppIdUri = 'https://api.securitycenter.windows.com' +$oAuthUri = "https://login.windows.net/$TenantId/oauth2/token" +$body = [Ordered] @{ + resource = "$resourceAppIdUri" + client_id = "$appId" + client_secret = "$appSecret" + grant_type = 'client_credentials' +} +$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop +$aadToken = $response.access_token + +``` + +where +- $tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +- $appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- $appSecret: Secret of your AAD app + +## Run query + +Run the following query: + +``` +$query = 'RegistryEvents | limit 10' # Paste your own query here + +$url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +$headers = @{ + 'Content-Type' = 'application/json' + Accept = 'application/json' + Authorization = "Bearer $aadToken" +} +$body = ConvertTo-Json -InputObject @{ 'Query' = $query } +$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body -ErrorAction Stop +$response = $webResponse | ConvertFrom-Json +$results = $response.Results +$schema = $response.Schema +``` + +- $results contains the results of your query +- $schema contains the schema of the results of your query + +### Complex queries + +If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command: + +``` +$query = [IO.File]::ReadAllText("C:\myQuery.txt"); # Replace with the path to your file +``` + +## Work with query results + +You can now use the query results. + +To output the results of the query in CSV format in file file1.csv do the below: + +``` +$results | ConvertTo-Csv -NoTypeInformation | Set-Content file1.csv +``` + +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +$results | ConvertTo-Json | Set-Content file1.json +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using Python](run-advanced-query-sample-python.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md new file mode 100644 index 0000000000..71784d6ccd --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-advanced-query-sample-python.md @@ -0,0 +1,146 @@ +--- +title: Advanced Hunting API +description: Use this API to run advanced queries +keywords: apis, supported apis, advanced hunting, query +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 30/07/2018 +--- + +# Advanced Hunting using Python +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Run advanced queries using Python, see [Advanced Hunting API](run-advanced-query-api.md). + +In this section we share Python samples to retrieve a token and use it to run a query. + +>**Prerequisite**: You first need to [create an app](apis-intro.md). + +## Get token + +- Run the following: + +``` + +import json +import urllib.request +import urllib.parse + +tenantId = '00000000-0000-0000-0000-000000000000' # Paste your own tenant ID here +appId = '11111111-1111-1111-1111-111111111111' # Paste your own app ID here +appSecret = '22222222-2222-2222-2222-222222222222' # Paste your own app secret here + +url = "https://login.windows.net/%s/oauth2/token" % (tenantId) + +resourceAppIdUri = 'https://api.securitycenter.windows.com' + +body = { + 'resource' : resourceAppIdUri, + 'client_id' : appId, + 'client_secret' : appSecret, + 'grant_type' : 'client_credentials' +} + +data = urllib.parse.urlencode(body).encode("utf-8") + +req = urllib.request.Request(url, data) +response = urllib.request.urlopen(req) +jsonResponse = json.loads(response.read()) +aadToken = jsonResponse["access_token"] + +``` + +where +- tenantId: ID of the tenant on behalf of which you want to run the query (i.e., the query will be run on the data of this tenant) +- appId: ID of your AAD app (the app must have 'Run advanced queries' permission to WDATP) +- appSecret: Secret of your AAD app + +## Run query + + Run the following query: + +``` +query = 'RegistryEvents | limit 10' # Paste your own query here + +url = "https://api.securitycenter.windows.com/api/advancedqueries/run" +headers = { + 'Content-Type' : 'application/json', + 'Accept' : 'application/json', + 'Authorization' : "Bearer " + aadToken +} + +data = json.dumps({ 'Query' : query }).encode("utf-8") + +req = urllib.request.Request(url, data, headers) +response = urllib.request.urlopen(req) +jsonResponse = json.loads(response.read()) +schema = jsonResponse["Schema"] +results = jsonResponse["Results"] + +``` + +- schema contains the schema of the results of your query +- results contains the results of your query + +### Complex queries + +If you want to run complex queries (or multilines queries), save your query in a file and, instead of the first line in the above sample, run the below command: + +``` +queryFile = open("D:\\Temp\\myQuery.txt", 'r') # Replace with the path to your file +query = queryFile.read() +queryFile.close() +``` + +## Work with query results + +You can now use the query results. + +To iterate over the results do the below: + +``` +for result in results: + print(result) # Prints the whole result + print(result["EventTime"]) # Prints only the property 'EventTime' from the result + + +``` + + +To output the results of the query in CSV format in file file1.csv do the below: + +``` +import csv + +outputFile = open("D:\\Temp\\file1.csv", 'w') +output = csv.writer(outputFile) +output.writerow(results[0].keys()) +for result in results: + output.writerow(result.values()) + +outputFile.close() +``` + +To output the results of the query in JSON format in file file1.json​ do the below: + +``` +outputFile = open("D:\\Temp\\file1.json", 'w') +json.dump(results, outputFile) +outputFile.close() +``` + + +## Related topic +- [Windows Defender ATP APIs](apis-intro.md) +- [Advanced Hunting API](run-advanced-query-api.md) +- [Advanced Hunting using PowerShell](run-advanced-query-sample-powershell.md) +- [Schedule Advanced Hunting](run-advanced-query-sample-ms-flow.md) diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..c9ae44eb2b --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,107 @@ +--- +title: Run antivirus scan API +description: Use this API to create calls related to running an antivirus scan on a machine. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Run antivirus scan API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prerelease information](prerelease.md)] + +Initiate Windows Defender Antivirus scan on a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Scan | 'Scan machine' +Delegated (work or school account) | Machine.Scan | 'Scan machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/runAntiVirusScan +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +ScanType| String | Defines the type of the Scan. **Required**. + +**ScanType** controls the type of scan to perform and can be one of the following: + +- **Quick** – Perform quick scan on the machine +- **Full** – Perform full scan on the machine + + + +## Response +If successful, this method returns 201, Created response code and _MachineAction_ object in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/runAntiVirusScan +Content-type: application/json +{ + "Comment": "Check machine for viruses due to alert 3212", + “ScanType”: “Full” +} +``` + +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "2e9da30d-27f6-4208-81f2-9cd3d67893ba", + "type": "RunAntiVirusScan", + "requestor": "Analyst@contoso.com", + "requestorComment": "Check machine for viruses due to alert 3212", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "lastUpdateTimeUtc": "2018-12-04T12:18:27.1293487Z", + "relatedFileInfo": null +} + +``` diff --git a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md index 9132144898..40d0e7da3f 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Run antivirus scan API description: Use this API to create calls related to running an antivirus scan on a machine. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,12 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Run antivirus scan API +# Run antivirus scan API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Initiate Windows Defender Antivirus scan on the machine. diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md index ad774f962c..e0cf7f036b 100644 --- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Run a detection test on a newly onboarded Windows Defender ATP machine description: Run the detection script on a newly onboarded machine to verify that it is properly onboarded to the Windows Defender ATP service. keywords: detection test, detection, powershell, script, verify, onboarding, windows defender advanced threat protection onboarding, clients, servers, test search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -21,7 +22,7 @@ ms.date: 09/07/2018 - Windows Server 2016 - Windows Server, version 1803 - Windows Server, 2019 -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service. diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md index 48a0fcb12c..724678dc82 100644 --- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md @@ -3,18 +3,19 @@ title: Configure the security controls in Secure score description: Configure the security controls in Secure score keywords: secure score, dashboard, security recommendations, security control state, security score, score improvement, microsoft secure score, security controls, security control, improvement opportunities, edr, antivirus, av, os security updates search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: mjcaparas ms.localizationpriority: medium -ms.date: 04/24/2018 +ms.date: 10/26/2018 --- # Configure the security controls in Secure score **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Each security control lists recommendations that you can take to increase the security posture of your organization. @@ -79,7 +80,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). -For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/en-us/help/4027322/windows-windows-update-troubleshooter). +For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/help/4027322/windows-windows-update-troubleshooter). ### Windows Defender Exploit Guard (Windows Defender EG) optimization @@ -174,6 +175,10 @@ For more information, see [Windows Defender Application Guard overview](../windo ### Windows Defender SmartScreen optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for Windows Defender SmartScreen is fulfilled. +>[!WARNING] +> Data collected by Windows Defender SmartScreen might be stored and processed outside of the storage location you have selected for your Windows Defender ATP data. + + >[!IMPORTANT] >This security control is only applicable for machines with Windows 10, version 1709 or later. @@ -206,7 +211,7 @@ For a machine to be considered "well configured", Windows Defender Firewall must - Secure private profile by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked - Secure public profile is configured by enabling Windows Defender Firewall and ensure that Inbound connections is set to Blocked -For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). +For more information on Windows Defender Firewall settings, see [Planning settings for a basic firewall policy](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy). >[!NOTE] > If Windows Defender Firewall is not your primary firewall, consider excluding it from the security score calculations and make sure that your third-party firewall is configured in a securely. @@ -222,7 +227,7 @@ You can take the following actions to increase the overall security score of you - Fix sensor data collection - The Windows Defender ATP service relies on sensor data collection to determine the security state of a machine. The service will not be able to determine the security state of machines that are not reporting sensor data properly. Therefore, it's important to ensure that sensor data collection is working properly. For more information, see [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). -For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/en-us/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). +For more information, see [Windows Defender Firewall with Advanced Security](https://docs.microsoft.com/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security). ### BitLocker optimization For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled. @@ -231,7 +236,7 @@ For a machine to be considered "well configured", it must comply to a minimum ba >This security control is only applicable for machines with Windows 10, version 1803 or later. #### Minimum baseline configuration setting for BitLocker -- Ensure all supported internal drives are encrypted +- Ensure all supported drives are encrypted - Ensure that all suspended protection on drives resume protection - Ensure that drives are compatible diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md index 0fdb2ab3d7..a5f69cd49c 100644 --- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Security Center Security operations dashboard description: Use the dashboard to identify machines at risk, keep track of the status of the service, and see statistics and information about machines and alerts. keywords: dashboard, alerts, new, in progress, resolved, risk, machines at risk, infections, reporting, statistics, charts, graphs, health, active malware detections, threat category, categories, password stealer, ransomware, exploit, threat, low severity, active malware search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/04/2018 # Windows Defender Security Center Security operations dashboard **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-secopsdashboard-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 20028f9555..b74a5f896b 100644 --- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Check the Windows Defender ATP service health description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. keywords: dashboard, service, issues, service health, current status, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # Check the Windows Defender Advanced Threat Protection service health **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..9b50c9bf1d --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/stop-and-quarantine-file-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Stop and quarantine file API +description: Use this API to stop and quarantine file. +keywords: apis, graph api, supported apis, stop and quarantine file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Stop and quarantine file API + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +- Stop execution of a file on a machine and delete it. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.StopAndQuarantine | 'Stop And Quarantine' +Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. +Sha1 | String | Sha1 of the file to stop and quarantine on the machine. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile +Content-type: application/json +{ + "Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9" +} + +``` +**Response** + +Here is an example of the response. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "141408d1-384c-4c19-8b57-ba39e378011a", + "type": "StopAndQuarantineFile", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z", + "relatedFileInfo": { + "fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9", + "fileIdentifierType": "Sha1" + } +} + +``` + diff --git a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md index 2e4f1e0fd1..078ced8e48 100644 --- a/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Stop and quarantine file API description: Use this API to create calls related to stopping and quarantining a file. keywords: apis, graph api, supported apis, stop, quarantine, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,12 +14,12 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Stop and quarantine file API +# Stop and quarantine file API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecated information](deprecate.md)] Stop execution of a file on a machine and ensure it’s not executed again on that machine. diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md index a6c64df7ff..aff0ccd147 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Supported Windows Defender Advanced Threat Protection query APIs description: Learn about the specific supported Windows Defender Advanced Threat Protection entities where you can create API calls to. keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,15 +14,14 @@ ms.localizationpriority: medium ms.date: 09/03/2018 --- -# Supported Windows Defender ATP query APIs +# Supported Windows Defender ATP query APIs (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supportedapis-abovefoldlink) - Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. ## In this section @@ -34,4 +34,7 @@ File | Run API calls such as get file information, file related alerts, file rel IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization. Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID. User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines. - +KbInfo | Run API call that gets list of Windows KB's information +CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's +MachineSecurityStates | Run API call that gets list of machines with their security properties and versions +MachineGroups | Run API call that gets list of machine group definitions \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md index 2ee0df491f..55dd5a1cfc 100644 --- a/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/supported-response-apis-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Supported Windows Defender Advanced Threat Protection response APIs description: Learn about the specific response related Windows Defender Advanced Threat Protection API calls. keywords: response apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 12/01/2017 # Supported Windows Defender ATP query APIs **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-supported-response-apis-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md index affe0ea030..4aab3cf41a 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Threat analytics for Spectre and Meltdown description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,7 +16,7 @@ ms.date: 09/03/2018 # Threat analytics for Spectre and Meltdown **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) The **Threat analytics** dashboard provides insight on how emerging threats affect your organization. It provides information that's specific for your organization. @@ -45,7 +46,7 @@ To access Threat analytics, from the navigation pane select **Dashboards** > **T Click a section of each chart to get a list of the machines in the corresponding mitigation status. ## Related topics -- [Threat analtyics](threat-analytics-windows-defender-advanced-threat-protection.md) +- [Threat analytics](threat-analytics.md) - [Overview of Secure Score in Windows Defender Security Center](overview-secure-score-windows-defender-advanced-threat-protection.md) - [Configure the security controls in Secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md index cb47452b3c..ba29920b5d 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-analytics.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-analytics.md @@ -3,6 +3,7 @@ title: Windows Defender Advanced Threat Protection Threat analytics description: Get a tailored organizational risk evaluation and actionable steps you can take to minimize risks in your organization. keywords: threat analytics, risk evaluation, OS mitigation, microcode mitigation, mitigation status search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,14 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 10/29/2018 --- # Threat analytics **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -[!include[Prereleaseinformation](prerelease.md)] Cyberthreats are emerging more frequently and prevalently. It is critical for organizations to be able to quickly assess their security posture, including impact, and organizational resilience in the context of specific emerging threats. diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md index c189fa2336..155f23aef6 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Understand threat intelligence concepts in Windows Defender ATP description: Create custom threat alerts for your organization and learn the concepts around threat intelligence in Windows Defender Advanced Threat Protection. keywords: threat intelligence, alert definitions, indicators of compromise, ioc search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/03/2018 # Understand threat intelligence concepts **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md index b491a5a109..d837895ff9 100644 --- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md +++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md @@ -1,8 +1,9 @@ --- -title: Microsoft threat protection -description: -keywords: +title: Windows Defender ATP in Microsoft Threat Protection +description: Learn about the capabilities within the Microsoft Threat Protection +keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,33 +11,47 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/12/2018 +ms.date: 12/03/2018 --- -# Microsoft threat protection +# Microsoft Threat Protection + +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. + +For more information on Microsoft Threat Protection, see [Announcing Microsoft Threat Protection](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783). Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect your organization from advanced cyber threats. Each layer in the threat protection stack plays a critical role in protecting customers. The deep integration between these layers results in better protected customers. -## Conditional access -Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. - -## Office 365 Advanced Threat Protection (Office 365 ATP) -The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. - ## Azure Advanced Threat Protection (Azure ATP) Suspicious activities are processes running under a user context. The integration between Windows Defender ATP and Azure ATP provides the flexibility of conducting cyber security investigation across activities and identities. -## Skype for Business -The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. - ## Azure Security Center Windows Defender ATP provides a comprehensive server protection solution, including endpoint detection and response (EDR) capabilities on Windows Servers. +## Azure Information Protection +Keep sensitive data secure while enabling productivity in the workplace through data data discovery and data protection. + +## Conditional access +Windows Defender ATP's dynamic machine risk score is integrated into the conditional access evaluation, ensuring that only secure devices have access to resources. + + ## Microsoft Cloud App Security Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +## Office 365 Advanced Threat Protection (Office 365 ATP) +[Office 365 ATP](https://docs.microsoft.com/office365/securitycompliance/office-365-atp) helps protect your organization from malware in email messages or files through ATP Safe Links, ATP Safe Attachments, advanced Anti-Phishing, and spoof intelligence capabilities. The integration between Office 365 ATP and Windows Defender ATP enables security analysts to go upstream to investigate the entry point of an attack. Through threat intelligence sharing, attacks can be contained and blocked. + +## Skype for Business +The Skype for Business integration provides s a way for analysts to communicate with a potentially compromised user or device owner through ao simple button from the portal. + + + ## Related topic - [Protect users, data, and devices with conditional access](conditional-access-windows-defender-advanced-threat-protection.md) diff --git a/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..d8693cd298 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/ti-indicator-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,45 @@ +--- +title: TiIndicator resource type +description: TiIndicator entity description. +keywords: apis, supported apis, get, TiIndicator, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# TI(threat intelligence) Indicator resource type + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Method|Return Type |Description +:---|:---|:--- +[List TI Indicators](get-ti-indicators-collection-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) Collection | List [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entities. +[Get TI Indicator by ID](get-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Gets the requested [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Submit TI Indicator](post-ti-indicator-windows-defender-advanced-threat-protection-new.md) | [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) | Submits [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +[Delete TI Indicator](delete-ti-indicator-by-id-windows-defender-advanced-threat-protection-new.md) | No Content | Deletes [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. + + +# Properties +Property | Type | Description +:---|:---|:--- +indicator | String | Identity of the [TI Indicator](ti-indicator-windows-defender-advanced-threat-protection-new.md) entity. +indicatorType | Enum | Type of the indicator. Possible values are: "FileSha1", "FileSha256", "IpAddress", "DomainName" and "Url" +title | String | Ti indicator alert title. +creationTimeDateTimeUtc | DateTimeOffset | The date and time when the indicator was created. +createdBy | String | Identity of the user/application that submitted the indicator. +expirationTime | DateTimeOffset | The expiration time of the indicator +action | Enum | The action that will be taken if the indicator will be discovered in the organization. Possible values are: "Alert", "AlertAndBlock", and "Allowed" +severity | Enum | The severity of the indicator. possible values are: "Informational", "Low", "Medium" and "High" +description | String | Description of the indicator. +recommendedActions | String | TI indicator alert recommended actions. + + diff --git a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md index 505296a18a..e513ef6ba4 100644 --- a/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/time-settings-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Windows Defender Security Center time zone settings description: Use the menu to configure the time zone and view license information. keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 02/13/2018 # Windows Defender Security Center time zone settings **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md index d86deb3f28..193e3acb5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot custom threat intelligence issues in Windows Defender ATP description: Troubleshoot issues that might arise when using the custom threat intelligence feature in Windows Defender ATP. keywords: troubleshoot, custom threat intelligence, custom ti, rest api, api, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -18,7 +19,7 @@ ms.date: 06/25/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md index 3310063e5a..01a0beefda 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md @@ -1,82 +1,90 @@ ---- -title: Troubleshoot onboarding issues and error messages -description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. -keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp -search.product: eADQiWindows 10XVcnh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: v-tanewt -author: tbit0001 -ms.localizationpriority: medium -ms.date: 08/01/2018 ---- - -# Troubleshoot subscription and portal access issues - -**Applies to:** - - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - ->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) - - -This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. - -If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. - -## No subscriptions found - -If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. - -Potential reasons: -- The Windows E5 and Office E5 licenses are separate licenses. -- The license was purchased but not provisioned to this AAD instance. - - It could be a license provisioning issue. - - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. - -For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or -[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). - -![Image of no subscriptions found](images\atp-no-subscriptions-found.png) - -## Your subscription has expired - -If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. - -You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. - -> [!NOTE] -> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. - -![Image of subscription expired](images\atp-subscription-expired.png) - -## You are not authorized to access the portal - -If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. -For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). - -![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) - -## Data currently isn't available on some sections of the portal -If the portal dashboard, and other sections show an error message such as "Data currently isn't available": - -![Image of data currently isn't available](images/atp-data-not-available.png) - -You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`. - - -## Portal communication issues -If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation. - -- `*.blob.core.windows.net -crl.microsoft.com` -- `https://*.microsoftonline-p.com` - `https://*.securitycenter.windows.com` - `https://automatediracs-eus-prd.securitycenter.windows.com` - `https://login.microsoftonline.com` - `https://login.windows.net` - `https://onboardingpackagescusprd.blob.core.windows.net` -- `https://secure.aadcdn.microsoftonline-p.com` -- `https://securitycenter.windows.com` - `https://static2.sharepointonline.com` - -## Related topics +--- +title: Troubleshoot onboarding issues and error messages +description: Troubleshoot onboarding issues and error message while completing setup of Windows Defender Advanced Threat Protection. +keywords: troubleshoot, troubleshooting, Azure Active Directory, onboarding, error message, error messages, windows defender atp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: v-tanewt +author: tbit0001 +ms.localizationpriority: medium +ms.date: 08/01/2018 +--- + +# Troubleshoot subscription and portal access issues + +**Applies to:** + + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + + +>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troublshootonboarding-abovefoldlink) + + +This page provides detailed steps to troubleshoot issues that might occur when setting up your Windows Defender ATP service. + +If you receive an error message, Windows Defender Security Center will provide a detailed explanation on what the issue is and relevant links will be supplied. + +## No subscriptions found + +If while accessing Windows Defender Security Center you get a **No subscriptions found** message, it means the Azure Active Directory (AAD) used to login the user to the portal, does not have a Windows Defender ATP license. + +Potential reasons: +- The Windows E5 and Office E5 licenses are separate licenses. +- The license was purchased but not provisioned to this AAD instance. + - It could be a license provisioning issue. + - It could be you inadvertently provisioned the license to a different Microsoft AAD than the one used for authentication into the service. + +For both cases you should contact Microsoft support at [General Windows Defender ATP Support](https://support.microsoft.com/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636419533611396913) or +[Volume license support](https://www.microsoft.com/licensing/servicecenter/Help/Contact.aspx). + +![Image of no subscriptions found](images\atp-no-subscriptions-found.png) + +## Your subscription has expired + +If while accessing Windows Defender Security Center you get a **Your subscription has expired** message, your online service subscription has expired. Windows Defender ATP subscription, like any other online service subscription, has an expiration date. + +You can choose to renew or extend the license at any point in time. When accessing the portal after the expiration date a **Your subscription has expired** message will be presented with an option to download the machine offboarding package, should you choose to not renew the license. + +> [!NOTE] +> For security reasons, the package used to Offboard machines will expire 30 days after the date it was downloaded. Expired offboarding packages sent to a machine will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. + +![Image of subscription expired](images\atp-subscription-expired.png) + +## You are not authorized to access the portal + +If you receive a **You are not authorized to access the portal**, be aware that Windows Defender ATP is a security monitoring, incident investigation and response product, and as such, access to it is restricted and controlled by the user. +For more information see, [**Assign user access to the portal**](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection). + +![Image of not authorized to access portal](images\atp-not-authorized-to-access-portal.png) + +## Data currently isn't available on some sections of the portal +If the portal dashboard, and other sections show an error message such as "Data currently isn't available": + +![Image of data currently isn't available](images/atp-data-not-available.png) + +You'll need to whitelist the `securitycenter.windows.com` and all sub-domains under it. For example `*.securitycenter.windows.com`. + + +## Portal communication issues +If you encounter issues with accessing the portal, missing data, or restricted access to portions of the portal, you'll need to verify that the following URLs are whitelisted and open for communciation. + +- `*.blob.core.windows.net +crl.microsoft.com` +- `https://*.microsoftonline-p.com` +- `https://*.securitycenter.windows.com` +- `https://automatediracs-eus-prd.securitycenter.windows.com` +- `https://login.microsoftonline.com` +- `https://login.windows.net` +- `https://onboardingpackagescusprd.blob.core.windows.net` +- `https://secure.aadcdn.microsoftonline-p.com` +- `https://securitycenter.windows.com` +- `https://static2.sharepointonline.com` + + +## Related topics - [Validate licensing provisioning and complete setup for Windows Defender ATP](licensing-windows-defender-advanced-threat-protection.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index e7c34f1bb9..3a34547911 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot Windows Defender ATP onboarding issues description: Troubleshoot issues that might arise during the onboarding of machines or to the Windows Defender ATP service. keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/07/2018 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - Windows Server 2012 R2 - Windows Server 2016 @@ -253,7 +254,7 @@ If the verification fails and your environment is using a proxy to connect to th For example, in Group Policy there should be no entries such as the following values: - `````` - - `````` + - `````` - After clearing the policy, run the onboarding steps again. - You can also check the following registry key values to verify that the policy is disabled: diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index cd9048386c..8c7c0f5e5f 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot SIEM tool integration issues in Windows Defender ATP description: Troubleshoot issues that might arise when using SIEM tools with Windows Defender ATP. keywords: troubleshoot, siem, client secret, secret search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,13 +11,13 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 02/13/2018 +ms.date: 11/08/2018 --- # Troubleshoot SIEM tool integration issues **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) @@ -66,6 +67,12 @@ If you encounter an error when trying to get a refresh token when using the thre 6. Click **Save**. +## Error while enabling the SIEM connector application +If you encounter an error when trying to enable the SIEM connector application, check the pop-up blocker settings of your browser. It might be blocking the new window being opened when you enable the capability. + + + + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) ## Related topics diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md index 12f36df3a9..272709e22a 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md @@ -3,6 +3,7 @@ title: Troubleshoot Windows Defender Advanced Threat Protection capabilities description: Find solutions to issues on sensor state, service issues, or other Windows Defender ATP capabilities keywords: troubleshoot, sensor, state, service, issues, attack surface reduction, next generation protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md index fc9f502186..2f5332e094 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Troubleshoot Windows Defender Advanced Threat Protection service issues description: Find solutions and work arounds to known issues such as server errors when trying to access the service. keywords: troubleshoot Windows Defender Advanced Threat Protection, troubleshoot Windows ATP, server error, access denied, invalid credentials, no data, dashboard portal, whitelist, event viewer search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md index 7ea3ec1258..ad824d3ab2 100644 --- a/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Unblock file API description: Use this API to create calls related to allowing a file to be executed in the organization keywords: apis, graph api, supported apis, unblock file search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Unblock file API +# Unblock file API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Allow a file to be executed in the organization, using Windows Defender Antivirus. diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..0b654aa63c --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,105 @@ +--- +title: Release machine from isolation API +description: Use this API to create calls related to release a machine from isolation. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Release machine from isolation API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Undo isolation of a machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.Isolate | 'Isolate machine' +Delegated (work or school account) | Machine.Isolate | 'Isolate machine' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/unisolate +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unisolate +Content-type: application/json +{ + "Comment": "Unisolate machine since it was clean and validated" +} + +``` +**Response** + +Here is an example of the response. + +>[!NOTE] +>The response object shown here may be truncated for brevity. All of the properties will be returned from an actual call. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "09a0f91e-a2eb-409d-af33-5577fe9bd558", + "type": "Unisolate", + "requestor": "Analyst@contoso.com ", + "requestorComment": "Unisolate machine since it was clean and validated ", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:13:15.0104931Z", + "lastUpdateTimeUtc": "2018-12-04T12:13:15.0104931Z", + "relatedFileInfo": null +} + +``` + +To isolate a machine, see [Isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). + diff --git a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md index c0ef9d02f6..8898ab6189 100644 --- a/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Release machine from isolation API description: Use this API to create calls related to release a machine from isolation. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Release machine from isolation API +# Release machine from isolation API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Undo isolation of a machine. diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..8ca7430854 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,100 @@ +--- +title: Remove app restriction API +description: Use this API to create calls related to removing a restriction from applications from executing. +keywords: apis, graph api, supported apis, remove machine from isolation +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Remove app restriction API +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +[!include[Prereleaseinformation](prerelease.md)] + +Enable execution of any application on the machine. + +[!include[Machine actions note](machineactionsnote.md)] + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Machine.RestrictExecution | 'Restrict code execution' +Delegated (work or school account) | Machine.RestrictExecution | 'Restrict code execution' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Active remediation actions' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +POST https://api.securitycenter.windows.com/api/machines/{id}/unrestrictCodeExecution +``` + +## Request headers +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | string | application/json. **Required**. + +## Request body +In the request body, supply a JSON object with the following parameters: + +Parameter | Type | Description +:---|:---|:--- +Comment | String | Comment to associate with the action. **Required**. + +## Response +If successful, this method returns 201 - Created response code and [Machine Action](machineaction-windows-defender-advanced-threat-protection-new.md) in the response body. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/unrestrictCodeExecution +Content-type: application/json +{ + "Comment": "Unrestrict code execution since machine was cleaned and validated" +} + +``` + +**Response** + +Here is an example of the response. + +``` +HTTP/1.1 201 Created +Content-type: application/json +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity", + "id": "44cffc15-0e3d-4cbf-96aa-bf76f9b27f5e", + "type": "UnrestrictCodeExecution", + "requestor": "Analyst@contoso.com", + "requestorComment": "Unrestrict code execution since machine was cleaned and validated ", + "status": "InProgress", + "machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07", + "creationDateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "lastUpdateTimeUtc": "2018-12-04T12:15:40.6052029Z", + "relatedFileInfo": null +} + +``` + +To restrict code execution on a machine, see [Restrict app execution](restrict-code-execution-windows-defender-advanced-threat-protection-new.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md index 4c8788c337..e011fa5800 100644 --- a/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Remove app restriction API description: Use this API to create calls related to removing a restriction from applications from executing. keywords: apis, graph api, supported apis, remove machine from isolation search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -13,13 +14,13 @@ ms.localizationpriority: medium ms.date: 12/08/2017 --- -# Remove app restriction API +# Remove app restriction API (deprecated) **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +[!include[Deprecatedinformation](deprecate.md)] Unrestrict execution of set of predefined applications. diff --git a/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..cfc99280d3 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/update-alert-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,108 @@ +--- +title: Get alert information by ID API +description: Retrieves an alert by its ID. +keywords: apis, graph api, supported apis, get, alert, information, id +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# Update alert +**Applies to:** + +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + + +[!include[Prereleaseinformation](prerelease.md)] +Update the properties of an alert entity. + +## Permissions +One of the following permissions is required to call this API. To learn more, including how to choose permissions, see [Use Windows Defender ATP APIs](apis-intro.md) + +Permission type | Permission | Permission display name +:---|:---|:--- +Application | Alerts.ReadWrite.All | 'Read and write all alerts' +Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' + +>[!Note] +> When obtaining a token using user credentials: +>- The user needs to have at least the following role permission: 'Alerts investigation' (See [Create and manage roles](user-roles-windows-defender-advanced-threat-protection.md) for more information) +>- The user needs to have access to the machine associated with the alert, based on machine group settings (See [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md) for more information) + +## HTTP request +``` +PATCH /api/alerts/{id} +``` + +## Request headers + +Name | Type | Description +:---|:---|:--- +Authorization | String | Bearer {token}. **Required**. +Content-Type | String | application/json. **Required**. + + +## Request body +In the request body, supply the values for the relevant fields that should be updated.Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values. For best performance you shouldn't include existing values that haven't change. + +Property | Type | Description +:---|:---|:--- +status | String | Specifies the current status of the alert. The property values are: 'New', 'InProgress' and 'Resolved'. +assignedTo | String | Owner of the alert +classification | String | Specifies the specification of the alert. The property values are: 'Unknown', 'FalsePositive', 'TruePositive'. +determination | String | Specifies the determination of the alert. The property values are: 'NotAvailable', 'Apt', 'Malware', 'SecurityPersonnel', 'SecurityTesting', 'UnwantedSoftware', 'Other' + + +## Response +If successful, this method returns 200 OK, and the [alert](alerts-windows-defender-advanced-threat-protection-new.md) entity in the response body with the updated properties. If alert with the specified id was not found - 404 Not Found. + + +## Example + +**Request** + +Here is an example of the request. + +[!include[Improve request performance](improverequestperformance-new.md)] + +``` +PATCH https://api.securitycenter.windows.com/api/alerts/121688558380765161_2136280442 +Content-Type: application/json +{ + "assignedTo": "secop2@contoso.com" +} +``` + +**Response** + +Here is an example of the response. + +``` +{ + "@odata.context": "https://api.securitycenter.windows.com/api/$metadata#Alerts/$entity", + "id": "121688558380765161_2136280442", + "incidentId": 7696, + "assignedTo": "secop2@contoso.com", + "severity": "High", + "status": "New", + "classification": "TruePositive", + "determination": "Malware", + "investigationState": "Running", + "category": "MalwareDownload", + "detectionSource": "WindowsDefenderAv", + "threatFamilyName": "Mikatz", + "title": "Windows Defender AV detected 'Mikatz', high-severity malware", + "description": "Some description", + "alertCreationTime": "2018-11-26T16:19:21.8409809Z", + "firstEventTime": "2018-11-26T16:17:50.0948658Z", + "lastEventTime": "2018-11-26T16:18:01.809871Z", + "resolvedTime": null, + "machineId": "9d80fbbc1bdbc5ce968f1d37c72384cbe17ee337" +} +``` diff --git a/windows/security/threat-protection/windows-defender-atp/use-apis.md b/windows/security/threat-protection/windows-defender-atp/use-apis.md new file mode 100644 index 0000000000..991dcfebfe --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/use-apis.md @@ -0,0 +1,26 @@ +--- +title: Use the Windows Defender Advanced Threat Protection APIs +description: Use the exposed data and actions using a set of progammatic APIs that are part of the Microsoft Intelligence Security Graph. +keywords: apis, graph api, supported apis, actor, alerts, machine, user, domain, ip, file +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 11/28/2018 +--- + +# Use the Windows Defender ATP exposed APIs + +**Applies to:** +- Windows Defender Advanced Threat Protection (Windows Defender ATP) + +## In this section +Topic | Description +:---|:--- +Create your app | Learn how to create an application to get programmatical access to Windows Defender ATP [on behalf of a user](exposed-apis-create-app-nativeapp.md) or [without a user](exposed-apis-create-app-webapp.md). +Supported Windows Defender ATP APIs | Learn more about the individual supported entities where you can run API calls to and details such as HTTP request values, request headers and expected responses. Examples include APIs for [alert resource type](alerts-windows-defender-advanced-threat-protection-new.md), [domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection-new.md), or even actions such as [isolate machine](isolate-machine-windows-defender-advanced-threat-protection-new.md). +How to use APIs - Samples | Learn how to use Advanced hunting APIs and multiple APIs such as PowerShell. Other examples include [schedule advanced hunting using Microsoft Flow](run-advanced-query-sample-ms-flow.md) or [OData queries](exposed-apis-odata-samples.md). diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md index c45ead9ecd..261e038a76 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Use the custom threat intelligence API to create custom alerts description: Use the threat intelligence API in Windows Defender Advanced Threat Protection to create custom alerts keywords: threat intelligence, alert definitions, indicators of compromise search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 04/24/2018 # Use the threat intelligence API to create custom alerts **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) diff --git a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index 42e5a71b83..b61baaafb2 100644 --- a/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Overview of Windows Defender Security Center description: Learn about the features on Windows Defender Security Center, including how alerts work, and suggestions on how to investigate possible breaches and attacks. keywords: dashboard, alerts queue, manage alerts, investigation, investigate alerts, investigate machines, submit files, deep analysis, high, medium, low, severity, ioc, ioa search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -15,6 +16,10 @@ ms.date: 03/12/2018 # Overview of Windows Defender Security Center +**Applies to:** + +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. diff --git a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md index 122fd23da5..505e031a5a 100644 --- a/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/user-roles-windows-defender-advanced-threat-protection.md @@ -3,6 +3,7 @@ title: Create and manage roles for role-based access control description: Create roles and define the permissions assigned to the role as part of the role-based access control implimentation keywords: user roles, roles, access rbac search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -16,7 +17,7 @@ ms.date: 09/03/2018 # Create and manage roles for role-based access control **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-roles-abovefoldlink) diff --git a/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md new file mode 100644 index 0000000000..509ded9db9 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/user-windows-defender-advanced-threat-protection-new.md @@ -0,0 +1,23 @@ +--- +title: File resource type +description: Retrieves top recent alerts. +keywords: apis, graph api, supported apis, get, alerts, recent +search.product: eADQiWindows 10XVcnh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 12/08/2017 +--- + +# User resource type + +Method|Return Type |Description +:---|:---|:--- +[List User related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection-new.md) | [alert](alerts-windows-defender-advanced-threat-protection-new.md) collection | List all the alerts that are associated with a [user](user-windows-defender-advanced-threat-protection-new.md). +[List User related machines](get-user-related-machines-windows-defender-advanced-threat-protection-new.md) | [machine](machine-windows-defender-advanced-threat-protection-new.md) collection | List all the machines that were logged on by a [user](user-windows-defender-advanced-threat-protection-new.md). + + diff --git a/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md new file mode 100644 index 0000000000..7ecf9f1fda --- /dev/null +++ b/windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md @@ -0,0 +1,75 @@ +--- +title: View and organize the Incidents queue +description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view. +keywords: view, organize, incidents, aggregate, investigations, queue, ttp +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: macapara +author: mjcaparas +ms.localizationpriority: medium +ms.date: 10/08/2018 +--- + +# View and organize the Windows Defender Advanced Threat Protection Incidents queue +**Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) + +[!include[Prerelease information](prerelease.md)] + +The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. + +By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first. + +There are several options you can choose from to customize the Incidents queue view. + +On the top navigation you can: +- Customize columns to add or remove columns +- Modify the number of items to view per page +- Select the items to show per page +- Batch-select the incidents to assign +- Navigate between pages +- Apply filters + +![Image of incidents queue](images/atp-incident-queue.png) + +## Sort and filter the incidents queue +You can apply the following filters to limit the list of incidents and get a more focused view. + +Incident severity | Description +:---|:--- +High
    (Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines. +Medium
    (Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages. +Low
    (Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization. +Informational
    (Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of. + +### Category +Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context. + +### Alerts +Indicates the number of alerts associated with or part of the incidents. + + +### Machines +You can limit to show only the machines at risk which are associated with incidents. + +### Users +You can limit to show only the users of the machines at risk which are associated with incidents. + +### Assigned to +You can choose to show between unassigned incidents or those which are assigned to you. + +### Status +You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved + +### Classification +Use this filter to choose between focusing on incidents flagged as true or false incidents. + +## Related topics +- [Incidents queue](incidents-queue.md) +- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) +- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md) + diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index a67e865ccb..7f1f28e13e 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -1,8 +1,9 @@ --- title: Windows Defender Advanced Threat Protection description: Windows Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. -keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence +keywords: introduction to Windows Defender Advanced Threat Protection, introduction to Windows Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, secure score, advanced hunting, microsoft threat protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -10,7 +11,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/03/2018 +ms.date: 11/07/2018 --- # Windows Defender Advanced Threat Protection @@ -21,17 +22,104 @@ ms.date: 09/03/2018 Windows Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. +Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: + +- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors + collect and process behavioral signals from the operating system and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. + + +- **Cloud security analytics**: Leveraging big-data, machine-learning, and + unique Microsoft optics across the Windows ecosystem, + enterprise cloud products (such as Office 365), and online assets, behavioral signals + are translated into insights, detections, and recommended responses + to advanced threats. + +- **Threat intelligence**: Generated by Microsoft hunters, security teams, + and augmented by threat intelligence provided by partners, threat + intelligence enables Windows Defender ATP to identify attacker + tools, techniques, and procedures, and generate alerts when these + are observed in collected sensor data. + + +

    Windows Defender ATP

    + + + + + + + + + + + + + + + +
    + +

    Attack surface reduction

    Next generation protection

    Endpoint detection and response

    Automated investigation and remediation

    Secure score

    Advanced hunting
    +
    Management and APIs
    Microsoft Threat Protection
    +
    + + + + + +>[!TIP] +>- Learn about the latest enhancements in Windows Defender ATP: [What's new in Windows Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). +>- Windows Defender ATP demonstrated industry-leading optics and detection capabilities in the recent MITRE evaluation. Read: [Insights from the MITRE ATT&CK-based evaluation](https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/insights-from-the-mitre-attack-based-evaluation-of-windows-defender-atp/). + +**[Attack surface reduction](overview-attack-surface-reduction.md)**
    +The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. + + + +**[Next generation protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10)**
    +To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats. + + + +**[Endpoint detection and response](overview-endpoint-detection-response.md)**
    +Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars. + + + +**[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md)**
    +In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. + + + + +**[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md)**
    +Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization. + + + +**[Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md)**
    +Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization. + + + +**[Management and APIs](management-apis.md)**
    +Integrate Windows Defender Advanced Threat Protection into your existing workflows. + + + +**[Microsoft Threat Protection](threat-protection-integration.md)**
    + Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. + -The Windows Defender ATP platform is where all the capabilities that are available across multiple products come together to give security operations teams the ability to effectively manage their organization's network. ## In this section +To help you maximize the effectiveness of the security platform, you can configure individual capabilities that surface in Windows Defender Security Center. Topic | Description :---|:--- [Overview](overview.md) | Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. [Get started](get-started.md) | Learn about the requirements of the platform and the initial steps you need to take to get started with Windows Defender ATP. -[Cconfigure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. +[Configure and manage capabilities](onboard.md)| Configure and manage the individual capabilities in Windows Defender ATP. [Troubleshoot Windows Defender ATP](troubleshoot-wdatp.md) | Learn how to address issues that you might encounter while using the platform. ## Related topic diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md index ea7e9fd67b..9791947810 100644 --- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md +++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md @@ -3,6 +3,7 @@ title: Windows Defender Security Center description: Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection. keywords: windows, defender, security, center, defender, advanced, threat, protection search.product: eADQiWindows 10XVcnh +search.appverid: met150 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 99f362c3fb..125ff2e581 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -1,5 +1,5 @@ --- -title: Use Attack surface reduction rules to prevent malware infection +title: Use attack surface reduction rules to prevent malware infection description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention search.product: eADQiWindows 10XVcnh @@ -11,38 +11,35 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 11/29/2018 --- - - -# Reduce attack surfaces with Windows Defender Exploit Guard - +# Reduce attack surfaces with attack surface reduction rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) -Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. -Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature is part of Windows Defender Advanced Threat Protection and provides: -Attack surface reduction has a number of [rules](#attack-surface-reduction-rules), each of which targets specific behaviors that are typically used by malware and malicious apps to infect machines, such as: +- Rules you can set to enable or disable specific behaviors that are typically used by malware and malicious apps to infect machines, such as: + - Executable files and scripts used in Office apps or web mail that attempt to download or run files + - Scripts that are obfuscated or otherwise suspicious + - Behaviors that apps undertake that are not usually initiated during normal day-to-day work +- Centralized monitoring and reporting with deep optics that help you connect the dots across events, computers and devices, and networks +- Analytics to enable ease of deployment, by using [audit mode](audit-windows-defender-exploit-guard.md) to show how attack surface reduction rules would impact your organization if they were enabled -- Executable files and scripts used in Office apps or web mail that attempt to download or run files -- Scripts that are obfuscated or otherwise suspicious -- Behaviors that apps undertake that are not usually initiated during normal day-to-day work +When an attack surface reduction rule is triggered, a notification displays from the Action Center on the user's computer. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. -When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - -You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled. +Attack surface reduction is supported on Windows 10, version 1709 and later and Windows Server 2019. ## Requirements -Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +Attack surface reduction rules are a feature of Windows Defender ATP and require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). ## Attack surface reduction rules -The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table: +The following sections describe what each rule does. Each rule is identified by a rule GUID, as in the following table. Rule name | GUID -|- @@ -58,34 +55,24 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c -The rules apply to the following Office apps: - -- Microsoft Word -- Microsoft Excel -- Microsoft PowerPoint -- Microsoft OneNote - -The rules do not apply to any other Office apps. - ### Rule: Block executable content from email client and webmail - This rule blocks the following file types from being run or launched from an email seen in either Microsoft Outlook or webmail (such as Gmail.com or Outlook.com): - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) - Script archive files ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block all Office applications from creating child processes Office apps will not be allowed to create child processes. This includes Word, Excel, PowerPoint, OneNote, and Access. +>[!NOTE] +>This does not include Outlook. For Outlook, please see [Block Office communication applications from creating child processes](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard#rule-block-office-communication-applications-from-creating-child-processes). + This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. ### Rule: Block Office applications from creating executable content @@ -94,41 +81,29 @@ This rule targets typical behaviors used by suspicious and malicious add-ons and Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - ### Rule: Block Office applications from injecting code into other processes - -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. +Office apps, including Word, Excel, PowerPoint, and OneNote, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block JavaScript or VBScript From launching downloaded executable content JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - ### Rule: Block execution of potentially obfuscated scripts Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. -It uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script, or blocks scripts when an attempt is made to access them. - ### Rule: Block Win32 API calls from Office macro Malware can use macro code in Office files to import and load Win32 DLLs, which can then be used to make API calls to allow further infection throughout the system. -This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. +This rule attempts to block Office files that contain macro code that is capable of importing Win32 DLLs. This includes Word, Excel, PowerPoint, and OneNote. ### Rule: Block executable files from running unless they meet a prevalence, age, or trusted list criteria @@ -150,9 +125,6 @@ This rule provides an extra layer of protection against ransomware. Executable f Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS. ->[!IMPORTANT] ->[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). - >[!NOTE] >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. @@ -170,33 +142,40 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) -### Rule: Block only Office communication applications from creating child processes (available for beta testing) +### Rule: Block Office communication application from creating child processes -Office communication apps will not be allowed to create child processes. This includes Outlook. +Outlook will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. -### Rule: Block Adobe Reader from creating child processes (available for beta testing) +>[!NOTE] +>This rule applies to Outlook only. + +### Rule: Block Adobe Reader from creating child processes This rule blocks Adobe Reader from creating child processes. -## Review Attack surface reduction events in Windows Event Viewer +## Review attack surface reduction rule events in the Windows Defender ATP Security Center -You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited): +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). + +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how attack surface reduction rules would affect your environment if they were enabled. + +## Review attack surface reduction rule events in Windows Event Viewer + +You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited): 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine. -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. +2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. -2. On the left panel, under **Actions**, click **Import custom view...** +3. On the left panel, under **Actions**, click **Import custom view...** + +4. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) +5. Click **OK**. -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Attack surface reduction: +6. This will create a custom view that filters to only show the following events related to attack surface reduction rules: Event ID | Description -|- @@ -204,8 +183,6 @@ You can review the Windows event log to see events that are created when an Atta 1122 | Event when rule fires in Audit-mode 1121 | Event when rule fires in Block-mode - - ### Event fields - **ID**: matches with the Rule-ID that triggered the block/audit. @@ -213,12 +190,15 @@ You can review the Windows event log to see events that are created when an Atta - **Process Name**: The process that performed the "operation" that was blocked/audited - **Description**: Additional details about the event or audit, including the signature, engine, and product version of Windows Defender Antivirus +## Attack surface reduction rules in Windows 10 Enterprise E3 + +A subset of attack surface reduction rules are also available on Windows 10 Enterprise E3 without the benefit of centralized monitoring, reporting, and analytics. For more information, see [Use attack surface reduction rules in Windows 10 Enterprise E3](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3). ## In this section Topic | Description ---|--- -[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created. -[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network. -[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file. +[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. +[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. +[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md new file mode 100644 index 0000000000..4cc8fbd9f5 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md @@ -0,0 +1,51 @@ +--- +title: Use attack surface reduction rules in Windows 10 Enterprise E3 +description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware +keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +author: andreabichsel +ms.author: v-anbic +ms.date: 10/15/2018 +--- + +# Use attack surface reduction rules in Windows 10 Enterprise E3 + +**Applies to:** + +- Windows 10 Enterprise E3 + +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. + +A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. + +Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. + +The limited subset of rules that can be used in Windows 10 Enterprise E3 include: + +- Block executable content from email client and webmail +- Block all Office applications from creating child processes +- Block Office applications from creating executable content +- Block Office applications from injecting code into other processes +- Block JavaScript or VBScript from launching downloaded executable content +- Block execution of potentially obfuscated scripts +- Block Win32 API calls from Office macro +- Use advanced protection against ransomware +- Block credential stealing from the Windows local security authority subsystem (lsass.exe) +- Block process creations originating from PSExec and WMI commands +- Block untrusted and unsigned processes that run from USB + +For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard). + + ## Related topics + +Topic | Description +---|--- +[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. +[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. +[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md index 5e7831035b..a17ef04dd9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 09/18/2018 --- @@ -19,20 +19,15 @@ ms.date: 08/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - - - - -You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. +You can enable attack surface reduction rules, exploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature. You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled. -You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer. @@ -45,10 +40,10 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs) Audit options | How to enable audit mode | How to view events - | - | - -Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) -Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) -Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) -Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) +Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer) +Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md) +Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) +Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer) You can also use the a custom PowerShell script that enables the features in audit mode automatically: @@ -69,14 +64,9 @@ You can also use the a custom PowerShell script that enables the features in aud A message should appear to indicate that audit mode was enabled. - ## Related topics - - [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Protect your network](network-protection-exploit-guard.md) - [Protect important folders](controlled-folders-exploit-guard.md) - - - diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md index 72daf4a2bc..9448ed601f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md @@ -18,19 +18,15 @@ ms.date: 08/08/2018 **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using attack surface reduction rules, network protection, exploit protection, and controlled folder access. - -- IT administrators - -This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard. - -In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md). +In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [network protection](network-protection-exploit-guard.md). Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics: -- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md) -- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md) +- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) +- [Troubleshoot network protection](troubleshoot-np.md) @@ -63,7 +59,7 @@ Before attempting this process, ensure you have met all required pre-requisites ## Related topics -- [Troubleshoot ASR rules](troubleshoot-asr.md) -- [Troubleshoot Network protection](troubleshoot-np.md) +- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md) +- [Troubleshoot network protection](troubleshoot-np.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md index a5c31c8baf..68bff70bd4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md @@ -11,21 +11,17 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 11/29/2018 --- - - # Protect important folders with controlled folder access - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. -Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. +Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder. @@ -35,43 +31,47 @@ A notification will appear on the computer where the app attempted to make chang The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders. -You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +Controlled folder access is supported on Windows 10, version 1709 and later and Windows Server 2019. ## Requirements -Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md). +## Review controlled folder access events in the Windows Defender ATP Security Center -## Review Controlled folder access events in Windows Event Viewer +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -You can review the Windows event log to see events that are created when Controlled folder access blocks (or audits) an app: +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how controlled folder access settings would affect your environment if they were enabled. + +## Review controlled folder access events in Windows Event Viewer + +You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine. 2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 3. On the left panel, under **Actions**, click **Import custom view...**. - - ![Animation showing the import custom view on the Event viewer window](images/events-import.gif) - + 4. Navigate to where you extracted *cfa-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Controlled folder access: +5. This will create a custom view that filters to only show the following events related to controlled folder access: Event ID | Description -|- 5007 | Event when settings are changed -1124 | Audited Controlled folder access event -1123 | Blocked Controlled folder access event +1124 | Audited controlled folder access event +1123 | Blocked controlled folder access event ## In this section Topic | Description ---|--- -[Evaluate Controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled folder access works, and what events would typically be created. -[Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled folder access in your network -[Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders. +[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created. +[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network +[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md index dbe8cbe7a5..2b00cbb179 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Configure how ASR works to finetune protection in your network +title: Configure how attack surface reduction rules work to finetune protection in your network description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude search.product: eADQiWindows 10XVcnh @@ -11,30 +11,29 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 12/19/2018 --- -# Customize attack surface reduction +# Customize attack surface reduction rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. -Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. - -This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. +This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer. You can use Group Policy, PowerShell, and MDM CSPs to configure these settings. ## Exclude files and folders -You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running. +You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. This could potentially allow unsafe files to run and infect your devices. >[!WARNING] ->Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. +>Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded. > >If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules). @@ -42,42 +41,36 @@ You can specify individual files or folders (using folder paths or fully qualifi Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). -Exclusions will only be applied to certain rules. Some rules will not honor the exclusion list. This means that even if you have added a file to the exclusion list, some rules will still evaluate and potentially block that file if the rule determines the file to be unsafe. +Exclusions apply to all attack surface reduction rules. ->[!IMPORTANT] ->Rules that do not honor the exclusion list will not exclude folders or files added in the exclusion list. All files will be evaluated and potentially blocked by rules that do not honor the exclusion list (indicated with a red X in the following table). - - -Rule description | Rule honors exclusions | GUID +Rule description | GUID -|:-:|- -Block all Office applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block execution of potentially obfuscated scripts | [!include[Check mark yes](images/svg/check-yes.svg)] | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | [!include[Check mark yes](images/svg/check-yes.svg)] | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -Block Office applications from creating executable content | [!include[Check mark yes](images/svg/check-yes.svg)] | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | [!include[Check mark no](images/svg/check-no.svg)] | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | [!include[Check mark no](images/svg/check-no.svg)] | D3E037E1-3EB8-44C8-A917-57927947596D -Block executable content from email client and webmail | [!include[Check mark no](images/svg/check-no.svg)] | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block executable files from running unless they meet a prevalence, age, or trusted list criteria | [!include[Check mark yes](images/svg/check-yes.svg)] | 01443614-cd74-433a-b99e-2ecdc07bfc25 -Use advanced protection against ransomware | [!include[Check mark yes](images/svg/check-yes.svg)] | c1db55ab-c21a-4637-bb3f-a12568109d35 -Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c -Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869 -Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c - - -See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. +Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A +Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC +Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 +Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 +Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D +Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 +Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 +Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 +Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 +Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c +Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c +See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. ### Use Group Policy to exclude files and folders -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. +3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**. -6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. +4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. ### Use PowerShell to exclude files and folderss @@ -90,7 +83,6 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list. - >[!IMPORTANT] >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. @@ -98,17 +90,13 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions. - - ## Customize the notification -See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. - - +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. ## Related topics -- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) -- [Enable Attack surface reduction](enable-attack-surface-reduction.md) -- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) +- [Enable attack surface reduction rules](enable-attack-surface-reduction.md) +- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md index aebfd7efca..5f501170df 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md @@ -11,22 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 10/02/2018 --- - - # Customize controlled folder access - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. - -This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): +This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs): - [Add additional folders to be protected](#protect-additional-folders) - [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders) @@ -36,42 +32,38 @@ This topic describes how to customize the following settings of the Controlled f > >This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact. - ## Protect additional folders Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop. You can add additional folders to be protected, but you cannot remove the default folders in the default list. -Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. +Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults. -You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). +You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). -You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders. +You can use the Windows Security app or Group Policy to add and remove additional protected folders. -### Use the Windows Defender Security Center app to protect additional folders +### Use the Windows Security app to protect additional folders -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**: 3. Under the **Controlled folder access** section, click **Protected folders** 4. Click **Add a protected folder** and follow the prompts to add apps. - - ![Screenshot of the Virus and threat protection settings button](images/cfa-prot-folders.png) - ### Use Group Policy to protect additional folders -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. -6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. +4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder. ### Use PowerShell to protect additional folders @@ -82,38 +74,32 @@ You can use the Windows Defender Security Center app or Group Policy to add and Add-MpPreference -ControlledFolderAccessProtectedFolders "" ``` - -Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app. - +Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app. ![Screenshot of a PowerShell window with the cmdlet above entered](images/cfa-allow-folder-ps.png) - >[!IMPORTANT] >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. ### Use MDM CSPs to protect additional folders -Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. +Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. +## Allow specific apps to make changes to controlled folders - - ## Allow specific apps to make changes to controlled folders - -You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature. +You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. >[!IMPORTANT] ->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets. +>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets. >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness. +You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders. -You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders. - -When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by Controlled folder access. +When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access. ### Use the Windows Defender Security app to allow specific apps -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. @@ -127,13 +113,11 @@ When you add an app, you have to specify the app's location. Only the app in tha 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. - -6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**. +4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app. ### Use PowerShell to allow specific apps @@ -149,27 +133,22 @@ When you add an app, you have to specify the app's location. Only the app in tha ```PowerShell Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe" ``` - -Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app. - +Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app. ![Screenshot of a PowerShell window with the above cmdlet entered](images/cfa-allow-app-ps.png) - >[!IMPORTANT] >Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list. - - ### Use MDM CSPs to allow specific apps Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Customize the notification -See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. ## Related topics -- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) -- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) -- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) +- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md) +- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md index 59513ac8ec..2ad55e0a66 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md @@ -1,7 +1,7 @@ --- title: Enable or disable specific mitigations used by Exploit protection keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr -description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations. +description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations. search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,36 +11,22 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 11/16/2018 --- -# Customize Exploit protection +# Customize exploit protection **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - - - - - - - - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. - -You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. +You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell. - This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. + This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works. -It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). +It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md). >[!WARNING] >Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network. @@ -49,14 +35,10 @@ It also describes how to enable or configure the mitigations using Windows Defen All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level. - You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table. - Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On". -![Screenshot showing the drop down menu for DEP which shows the default for DEP as On](images/ep-default.png) - The **Use default** configuration for each of the mitigation settings indicates our recommendation for a base level of protection for everyday usage for home users. Enterprise deployments should consider the protection required for their individual needs and may need to modify configuration away from the defaults. For the associated PowerShell cmdlets for each mitigation, see the [PowerShell reference table](#cmdlets-table) at the bottom of this topic. @@ -71,19 +53,19 @@ Validate exception chains (SEHOP) | Ensures the integrity of an exception chain Validate heap integrity | Terminates a process when heap corruption is detected. | System and app-level | [!include[Check mark no](images/svg/check-no.svg)] Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed executable code and prevents code pages from being modified. Can optionally allow thread opt-out and allow remote downgrade (configurable only with PowerShell). | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Export address filtering (EAF) | Detects dangerous operations being resolved by malicious code. Can optionally validate access by modules commonly used by exploits. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Import address filtering (IAF) | Detects dangerous operations being resolved by malicious code. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Simulate execution (SimExec) | Ensures that calls to sensitive APIs return to legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate API invocation (CallerCheck) | Ensures that sensitive APIs are invoked by legitimate callers. Only configurable for 32-bit (x86) applications. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] Validate handle usage | Causes an exception to be raised on any invalid handle references. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] -Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] -Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)] +Validate image dependency integrity | Enforces code signing for Windows image dependency loading. | App-level only | [!include[Check mark no](images/svg/check-no.svg)] +Validate stack integrity (StackPivot) | Ensures that the stack has not been redirected for sensitive APIs. Not compatible with ACG | App-level only | [!include[Check mark no](images/svg/check-no.svg)] >[!IMPORTANT] >If you add an app to the **Program settings** section and configure individual mitigation settings there, they will be honored above the configuration for the same mitigations specified in the **System settings** section. The following matrix and examples help to illustrate how defaults work: @@ -118,11 +100,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*. >CFG will be enabled for *miles.exe*. +### Configure system-level mitigations with the Windows Security app - -### Configure system-level mitigations with the Windows Defender Security Center app - -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**. @@ -134,9 +114,7 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi >[!NOTE] >You may see a User Account Control window when changing some settings. Enter administrator credentials to apply the setting. - Changing some settings may required a restart, which will be indicated in red text underneath the setting. - - ![Screenshot showing the DEP drop down menu where you can select On, Off, or Default](images/wdsc-exp-prot-sys-settings.png) + Changing some settings may required a restart, which will be indicated in red text underneath the setting. 4. Repeat this for all the system-level mitigations you want to configure. @@ -144,10 +122,9 @@ You can now [export these settings as an XML file](import-export-exploit-protect Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. +### Configure app-specific mitigations with the Windows Security app -### Configure app-specific mitigations with the Windows Defender Security Center app - -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen. @@ -157,31 +134,24 @@ Exporting the configuration as an XML file allows you to copy the configuration 2. If the app is not listed, at the top of the list click **Add program to customize** and then choose how you want to add the app: - Use **Add by program name** to have the mitigation applied to any running process with that name. You must specify a file with an extension. You can enter a full path to limit the mitigation to only the app with that name in that location. - Use **Choose exact file path** to use a standard Windows Explorer file picker window to find and select the file you want. - - ![Screenshot showing the add file or folder button](images/wdsc-exp-prot-app-settings.png) - - + 4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows. 5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration. - - ![Screenshot showing some of the options available for an added program](images/wdsc-exp-prot-app-settings-options.png) - + You can now [export these settings as an XML file](import-export-exploit-protection-emet-xml.md) or return to configure system-level mitigations. Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines. +## PowerShell reference - ## PowerShell reference + You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets. - You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets. - - The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. + The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply. >[!IMPORTANT] >Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden. - You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app: ```PowerShell @@ -195,15 +165,13 @@ Get-ProcessMitigation -Name processName.exe > >For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied. > ->The default setting for each system-level mitigation can be seen in the Windows Defender Security Center, as described in the [Configure system-level mitigations with the Windows Defender Security Center app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). +>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app). Use `Set` to configure each mitigation in the following format: ```PowerShell Set-ProcessMitigation - - ,, ``` - - Where: - \: @@ -213,8 +181,7 @@ Where: - `-Enable` to enable the mitigation - `-Disable` to disable the mitigation - \: - - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma. - + - The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is separated with a comma. For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command: @@ -223,7 +190,7 @@ Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable DEP, EmulateAt ``` >[!IMPORTANT] - >Seperate each mitigation option with commas. + >Separate each mitigation option with commas. If you wanted to apply DEP at the system level, you'd use the following command: @@ -292,12 +259,12 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu ## Customize the notification -See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. +See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file. ## Related topics - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Enable Exploit protection](enable-exploit-protection.md) -- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md index f37c7b6665..3b65d090e5 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md @@ -14,22 +14,18 @@ ms.author: v-anbic ms.date: 08/08/2018 --- - - # Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. > >You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. @@ -40,9 +36,7 @@ After July 31, 2018, it will not be supported. For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics: - [Protect devices from exploits](exploit-protection-exploit-guard.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) - - +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) ## Feature comparison @@ -52,33 +46,29 @@ For more information about the individual features and mitigations available in   | Windows Defender Exploit Guard | EMET -|:-:|:-: Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)]
    All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)]
    Windows 8.1; Windows 8; Windows 7
    Cannot be installed on Windows 10, version 1709 and later -Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
    (no additional installation required)
    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device -User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training -Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
    [Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
    Ends after July 31, 2018 +Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
    (no additional installation required)
    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device +User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training +Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
    [Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
    Ends after July 31, 2018 Updates | [!include[Check mark yes](images/svg/check-yes.svg)]
    Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
    No planned updates or development Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)]
    All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
    [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Limited set of mitigations Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
    [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Limited ruleset configuration only for modules (no processes) Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Helps protect important folders](controlled-folders-exploit-guard.md)
    [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available -Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Requires installation and use of EMET tool +Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Requires installation and use of EMET tool Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Available Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Requires use of EMET tool (EMET_CONF) -System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available -Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available +System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available +Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
    With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
    [Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
    Limited to EAF, EAF+, and anti-ROP mitigations - - ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). ([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus. - - ## Mitigation comparison -The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md). +The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md). The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection. @@ -109,10 +99,6 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] - - - - >[!NOTE] >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. > @@ -122,9 +108,9 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check ## Related topics - [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Enable Exploit protection](enable-exploit-protection.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md index 4c1735dfdf..8e84a3872c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md @@ -11,35 +11,18 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 10/17/2018 --- - -# Enable Attack surface reduction - +# Enable attack surface reduction rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - - - - - - - - - - - - -Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. - - - -## Enable and audit Attack surface reduction rules +## Enable and audit attack surface reduction rules You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode. @@ -51,44 +34,40 @@ You can manually add the rules by using the GUIDs in the following table: Rule description | GUID -|- -Block executable content from email client and webmail | BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -Block all Office applications from creating child processes | D4F940AB-401B-4EFC-AADC-AD5F3C50688A -Block Office applications from creating executable content | 3B576869-A4EC-4529-8536-B80A7769E899 -Block Office applications from injecting code into other processes | 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 -Block JavaScript or VBScript from launching downloaded executable content | D3E037E1-3EB8-44C8-A917-57927947596D -Block execution of potentially obfuscated scripts | 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC -Block Win32 API calls from Office macro | 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B +Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9B1eeee46550 +Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a +Block Office applications from creating executable content | 3b576869-a4eC-4529-8536-b80a7769e899 +Block Office applications from injecting code into other processes | 75668c1f-73b5-4Cf0-bb93-3ecf5cb7cc84 +Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d +Block execution of potentially obfuscated scripts | 5beb7efe-fd9A-4556-801d-275e5ffc04cc +Block Win32 API calls from Office macro | 92e97fa1-2edf-4476-bdd6-9dd0B4dddc7b Block executable files from running unless they meet a prevalence, age, or trusted list criteria | 01443614-cd74-433a-b99e-2ecdc07bfc25 Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 -Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 +Block Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule. -### Use Group Policy to enable or audit Attack surface reduction rules +### Use Group Policy to enable or audit attack surface reduction rules +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. -5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**. - -6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: +4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section: - Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows: - Block mode = 1 - Disabled = 0 - Audit mode = 2 -![Group policy setting showing a blank ASR rule ID and value of 1](images/asr-rules-gp.png) - - - - - ### Use PowerShell to enable or audit Attack surface reduction rules +![Group policy setting showing a blank attack surface reduction rule ID and value of 1](images/asr-rules-gp.png) + +### Use PowerShell to enable or audit attack surface reduction rules 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -97,14 +76,11 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled ``` - - You can enable the feature in audit mode using the following cmdlet: ```PowerShell Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode ``` - Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. >[!IMPORTANT> @@ -124,15 +100,12 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis >You can obtain a list of rules and their current state by using `Get-MpPreference` -### Use MDM CSPs to enable Attack surface reduction rules +### Use MDM CSPs to enable attack surface reduction rules -Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. - - - +Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule. ## Related topics -- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) -- [Customize Attack surface reduction](customize-attack-surface-reduction.md) -- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) +- [Customize attack surface reduction](customize-attack-surface-reduction.md) +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 62f8359359..79fb8541bf 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -11,43 +11,37 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 10/02/2018 --- - - # Enable controlled folder access - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. -Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). - -This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). - +This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs). ## Enable and audit controlled folder access You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine. - >[!NOTE] ->The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**. ->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device. ->If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**. +>The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**. +>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. +>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. >See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works. >

    ->Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include: +>Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include: >- Windows Defender Antivirus **Configure local administrator merge behavior for lists** >- System Center Endpoint Protection **Allow users to add exclusions and overrides** >For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged). -### Use the Windows Defender Security app to enable Controlled folder access +### Use the Windows Defender Security app to enable controlled folder access -1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**. @@ -70,28 +64,29 @@ You can enable controlled folder access with the Security Center app, Group Poli ![Screenshot of group policy option with Enabled and then Enable selected in the drop down](images/cfa-gp-enable.png) >[!IMPORTANT] ->To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. +>To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu. -### Use PowerShell to enable Controlled folder access +### Use PowerShell to enable controlled folder access + +1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**. -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: ```PowerShell Set-MpPreference -EnableControlledFolderAccess Enabled ``` -You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`. +You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`. Use `Disabled` to turn the feature off. -### Use MDM CSPs to enable Controlled folder access +### Use MDM CSPs to enable controlled folder access Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders. ## Related topics -- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) -- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) +- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md) - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md index c9c10f4b93..70500e0307 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md @@ -1,5 +1,5 @@ --- -title: Turn on Exploit protection to help mitigate against attacks +title: Turn on exploit protection to help mitigate against attacks keywords: exploit, mitigation, attacks, vulnerability description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET. search.product: eADQiWindows 10XVcnh @@ -14,14 +14,11 @@ ms.author: v-anbic ms.date: 08/08/2018 --- - - # Enable exploit protection - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. @@ -45,7 +42,6 @@ See the following topics for instructions on configuring exploit protection miti 1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md) 2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md). - ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md index 93d25b4d0b..d147c77d43 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md @@ -1,5 +1,5 @@ --- -title: Turn Network protection on +title: Turn network protection on description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on search.product: eADQiWindows 10XVcnh @@ -14,59 +14,40 @@ ms.author: v-anbic ms.date: 05/30/2018 --- - -# Enable Network protection - +# Enable network protection **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). +## Enable and audit network protection - - - - - - - - - - -Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. - -This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM). - - -## Enable and audit Network protection - -You can enable Network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. +You can enable network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP. For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). +### Use Group Policy to enable or audit network protection -### Use Group Policy to enable or audit Network protection +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. - -5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**. - -6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: +4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following: - **Block** - Users will not be able to access malicious IP addresses and domains - **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains - **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address. >[!IMPORTANT] ->To fully enable the Network protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. +>To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu. - - ### Use PowerShell to enable or audit Network protection + ### Use PowerShell to enable or audit network protection 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -75,7 +56,7 @@ For background information on how audit mode works, and when you might want to u Set-MpPreference -EnableNetworkProtection Enabled ``` -You can enable the feauting in audit mode using the following cmdlet: +You can enable the feature in audit mode using the following cmdlet: ``` Set-MpPreference -EnableNetworkProtection AuditMode @@ -84,14 +65,12 @@ Set-MpPreference -EnableNetworkProtection AuditMode Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off. +### Use MDM CSPs to enable or audit network protection -### Use MDM CSPs to enable or audit Network protection - - -Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection. +Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection. ## Related topics - [Protect your network](network-protection-exploit-guard.md) -- [Evaluate Network protection](evaluate-network-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 0a7e07c36c..325b6119b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -6,18 +6,18 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.author: justinha author: brianlic-msft -ms.date: 08/08/2018 +ms.date: 11/15/2018 --- # Enable virtualization-based protection of code integrity **Applies to** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. -This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. +This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. ## How to turn on HVCI in Windows 10 @@ -42,7 +42,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy](images\enable-hvci-gp.png) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md index d641593a68..290fbdaae4 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Use a demo to see how ASR can help protect your devices +title: Use a demo to see how ASR rules can help protect your devices description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo search.product: eADQiWindows 10XVcnh @@ -11,202 +11,25 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 11/16/2018 --- - -# Evaluate Attack surface reduction rules +# Evaluate attack surface reduction rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - - - - - - - - - - - - - - -Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. - -This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +This topic helps you evaluate attack surface reduction rules. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. - -## Use the demo tool to see how Attack surface reduction works - -Use the **ExploitGuard ASR test tool** app to see how Attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool has a simple user interface that lets you choose a rule, configure it in blocking, audit, or disabled mode, and run a pre-created series of actions that would be evaluated by the rule. - -When you run a scenario, you will see what the scenario entails, what the rule is set to, and what actions were taken. - -![Screenshot of the Exploit guard demo tool](images/asr-test-tool.png) - -Each scenario creates a fake or sample file or behavior that the rule would target and, if the rule was enabled, block from running. - ->[!IMPORTANT] ->The settings you change while using this tool will be cleared when you close the tool. If you want to test the feature in a production environment, you should consider using [audit mode to measure impact](#use-audit-mode-to-measure-impact), or see the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). - -**Run a rule using the demo tool:** - -1. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard ASR test tool* to a location on your PC that is easy to access (such as your desktop). - -2. Run the tool by double-clicking the version that matches your operating system - either 64-bit (x64) or 32-bit (x86). If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - - - >[!IMPORTANT] - >Make sure you use the version of the tool that is appropriate for the machine you are using. Use the x86 version for 32-bit versions of Windows 10, or use the x64 version for 64-bit versions of Windows 10. - -3. Select the rule from the drop-down menu. - -4. Select the mode, **Disabled**, **Block**, or **Audit**. - 1. Optionally, click **Show Advanced Options** and choose a specific scenario (or all scenarios sequentially by selecting **All Scenarios**), enter a delay, or click **Leave Dirty**. - -5. Click **RunScenario**. - -The scenario will run, and an output will appear describing the steps taken. - -You can right-click on the output window and click **Open Event Viewer** to see the relevant event in Windows Event Viewer. - ->[!TIP] ->You can click **Save Filter to Custom View...** in the Event Viewer to create a custom view so you can easily come back to this view as you continue to evaluate rules. - - -Choosing the **Mode** will change how the rule functions: - -Mode option | Description --|- -Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack surface reduction at all. -Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack surface reduction. -Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack surface reduction will work but without impacting how you use the machine. - -Block mode will cause a notification to appear on the user's desktop: - -![Example notification that says Action blocked: Your IT administrator caused Windows Defender Antivirus to block this action. Contact your IT desk.](images/asr-notif.png) - -You can [modify the notification to display your company name and links](customize-attack-surface-reduction.md#customize-the-notification) for users to obtain more information or contact your IT help desk. - -For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - -The following sections describe what each rule does and what the scenarios entail for each rule. - -### Rule: Block executable content from email client and webmail - - -This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail. - -The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule: - -Scenario name | File type | Program -- | - | - -Random | A scenario will be randomly chosen from this list | Microsoft Outlook or web mail -Mail Client PE | Executable files (such as .exe, .dll, or .scr) | Microsoft Outlook -Mail Client Script | Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) | Microsoft Outlook -Mail Client Script Archive | Script archive files | Microsoft Outlook -WebMail PE | Executable files (such as .exe, .dll, or .scr) | Web mail, such as gmail, outlook, hotmail -WebMail Script | Script files (such as a PowerShell .ps, VBScript .vbs, or JavaScript .js file) | Web mail -WebMail Script Archive | Script archive files | Web mail - - -### Rule: Block Office applications from creating child processes - ->[!NOTE] ->There is only one scenario to test for this rule. - -Office apps, such as Word or Excel, will not be allowed to create child processes. This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables. - -### Rule: Block Office applications from creating executable content - -This rule targets typical behaviors used by suspicious and malicious add-ons and scripts that create or launch executable files. This is a typical malware technique. - -The following scenarios can be individually chosen: - -- Random - - A scenario will be randomly chosen from this list -- Extension Block - - Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features. - - -### Rule: Block Office applications from injecting into other processes - - ->[!NOTE] ->There is only one scenario to test for this rule. - - -Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines. - - - -### Rule: Impede JavaScript and VBScript to launch executables - -JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines. - -- Random - - A scenario will be randomly chosen from this list -- JScript - - JavaScript will not be allowed to launch executable files -- VBScript - - VBScript will not be allowed to launch executable files - - - -### Rule: Block execution of potentially obfuscated scripts - -Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running. - - -- Random - - A scenario will be randomly chosen from this list -- AntiMalwareScanInterface - - This scenario uses the [AntiMalwareScanInterface (AMSI)](https://msdn.microsoft.com/library/windows/desktop/dn889587(v=vs.85).aspx) to determine if a script is potentially obfuscated, and then blocks such a script -- OnAccess - - Potentially obfuscated scripts will be blocked when an attempt is made to access them - - -## Review Attack surface reduction events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *asr-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Attack surface reduction: - -Event ID | Description --|- -5007 | Event when settings are changed -1122 | Event when rule fires in Audit-mode -1121 | Event when rule fires in Block-mode - - ## Use audit mode to measure impact -You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature. +You can enable attack surface reduction rules in audit mode. This lets you see a record of what apps would have been blocked if you had enabled attack surface reduction rules. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the rules will fire during normal use. @@ -216,23 +39,20 @@ To enable audit mode, use the following PowerShell cmdlet: Set-MpPreference -AttackSurfaceReductionRules_Actions AuditMode ``` -This enables all Attack surface reduction rules in audit mode. +This enables all attack surface reduction rules in audit mode. >[!TIP] ->If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md). +>If you want to fully audit how attack surface reduction rules will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction rules topic](attack-surface-reduction-exploit-guard.md). - - -## Customize Attack surface reduction +## Customize attack surface reduction rules During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature. -See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. - +See the [Customize attack surface reduction rules](customize-attack-surface-reduction.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies. ## Related topics -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md index db37592aa5..3357f3a4fc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md @@ -1,5 +1,5 @@ --- -title: See how CFA can help protect files from being changed by malicious apps +title: See how controlled folder access can help protect files from being changed by malicious apps description: Use a custom tool to see how Controlled folder access works in Windows 10. keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try search.product: eADQiWindows 10XVcnh @@ -11,100 +11,27 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/08/2018 +ms.date: 11/16/2018 --- - -# Evaluate Controlled folder access +# Evaluate controlled folder access **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - - - - - - - - - - -[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. +[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients. It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage. -This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization. - ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions on how to use Group Policy, Mobile Device Management (MDM), and System Center Configuration Manager to deploy these settings across your network, see the main [Controlled folder access topic](controlled-folders-exploit-guard.md). +This topic helps you evaluate controlled folder access. It explains how to enable audit mode so you can test the feature directly in your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Use the demo tool to see how Controlled folder access works - -Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder access can prevent a suspicious app from creating files in protected folders. - -The tool is part of the Windows Defender Exploit Guard evaluation package: -- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) - -This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders. - -You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders. - - - -1. Type **powershell** in the Start menu. - -2. Right-click **Windows PowerShell**, click **Run as administrator** and click **Yes** or enter admin credentials at the prompt. - -3. Enter the following in the PowerShell window to enable Controlled folder access: - ```PowerShell - Set-MpPreference -EnableControlledFolderAccess Enabled - ``` - -4. Open the Exploit Guard Evaluation Package and copy the file *ExploitGuard CFA File Creator.exe* to a location on your PC that is easy to access (such as your desktop). - -5. Run the tool by double-clicking it. If a Windows Defender SmartScreen notification appears, click **More details** and then **Run anyway**. - -6. You'll be asked to specify a name and location for the file. You can choose anything you wish to test. - - ![Screenshot of the exploit guard demo tool](images/cfa-filecreator.png) - -7. A notification will appear, indicating that the tool was prevented from creating the file, as in the following example: - - ![Exampke notification that says Unauthorized changes blocked: Controlled folder access blocked (file name) from making changes to the folder (folder name)](images/cfa-notif.png) - -## Review Controlled folder access events in Windows Event Viewer - -You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -2. On the left panel, under **Actions**, click **Import custom view...** - -3. Navigate to the Exploit Guard Evaluation Package, and select the file *cfa-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the following events related to Controlled folder access: - -Event ID | Description --|- -5007 | Event when settings are changed -1124 | Audited Controlled folder access event -1123 | Blocked Controlled folder access event -1127 | Blocked Controlled folder access sector write block event -1128 | Audited Controlled folder access sector write block event - - ## Use audit mode to measure impact -As with other Windows Defender EG features, you can enable the Controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. +You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period. @@ -115,21 +42,18 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode ``` >[!TIP] ->If you want to fully audit how Controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). -You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled folder access topic](controlled-folders-exploit-guard.md). - +>If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md). For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md). - - ## Customize protected folders and apps During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files. -See the main [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. +See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP. ## Related topics -- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) - [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md) - [Use audit mode](audit-windows-defender-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index d4d3705b4a..ec8690b50d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -11,95 +11,24 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/30/2018 +ms.date: 11/16/2018 --- - - # Evaluate exploit protection **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are included in exploit protection. -This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md) . - ->[!NOTE] ->This topic uses PowerShell cmdlets to make it easy to enable the feature and test it. ->For instructions about how to use Group Policy and Mobile Device Management (MDM to deploy these settings across your network, see [Exploit protection](exploit-protection-exploit-guard.md). +This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md). >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Enable and validate an exploit protection mitigation - -For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app. - -First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app: - -1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** - -2. Enter the following cmdlet: - - ```PowerShell - Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation - ``` - -1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**. - -Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user: - -1. Type **run** in the Start menu and press **Enter** to open the run dialog box. - -2. Type **iexplore.exe** and press **Enter** or click **OK** to attempt to open Internet Explorer. - -3. Internet Explorer should briefly open and then immediately shut down again, indicating that the mitigation was applied and prevented Internet Explorer from opening a child process (its own process). - -Lastly, we can disable the mitigation so that Internet Explorer works properly again: - -1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**. - -2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen. - -3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**. - -4. Find the **Do not allow child processes** setting and set the switch to **Off**. Click **Apply** - -5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected. - - -## Review exploit protection events in Windows Event Viewer - -You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). - -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. - -2. Type **Event viewer** in the Start menu to open the Windows Event Viewer. - -3. On the left panel, under **Actions**, click **Import custom view...** - -4. Navigate to where you extracted *ep-events.xml* and select it. Alternatively, [copy the XML directly](event-views-exploit-guard.md). - -4. Click **OK**. - -5. This will create a custom view that filters to only show the events related to exploit protection. - -6. The specific event to look for in this demo is event ID 4, which should have the following or similar information: - - Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'. - - ## Use audit mode to measure impact You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations. @@ -112,8 +41,6 @@ See the [**PowerShell reference** section in customize exploit protection](custo For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md). - - ## Related topics - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) - [Enable exploit protection](enable-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md index dc6546e9a9..9c5516c1de 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md @@ -1,5 +1,5 @@ --- -title: Conduct a demo to see how Network protection works +title: Conduct a demo to see how network protection works description: Quickly see how Network protection works by performing common scenarios that it protects against keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo search.product: eADQiWindows 10XVcnh @@ -11,33 +11,16 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/16/2018 --- -# Evaluate Network protection - - +# Evaluate network protection **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - - - - - - - - - - - - -Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). - -It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. +Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site. @@ -47,7 +30,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -## Enable Network protection +## Enable network protection 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -56,7 +39,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui Set-MpPreference -EnableNetworkProtection Enabled ``` -You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace `Enabled` with either `AuditMode` or `Disabled`. +You can also carry out the processes described in this topic in audit or disabled mode to see how the feature will work. Use the same PowerShell cmdlet as above, but replace "Enabled" with either "AuditMode" or "Disabled". ### Visit a (fake) malicious domain @@ -66,10 +49,9 @@ You can also carry out the processes described in this topic in audit or disable You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked. -![Example notification that says Connection blocked: Your IT administrator caused Windows Defender Security center to block this network connection. Contact your IT help desk.](images/np-notif.png) +![Example notification that says Connection blocked: Your IT administrator caused Windows Security to block this network connection. Contact your IT help desk.](images/np-notif.png) - - ## Review Network protection events in Windows Event Viewer +## Review network protection events in Windows Event Viewer You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events). @@ -81,18 +63,18 @@ You can also review the Windows event log to see the events there were created w 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Network protection: +5. This will create a custom view that filters to only show the following events related to network protection: Event ID | Description -|- 5007 | Event when settings are changed -1125 | Event when rule fires in Audit-mode -1126 | Event when rule fires in Block-mode +1125 | Event when rule fires in audit mode +1126 | Event when rule fires in block mode ## Use audit mode to measure impact -You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled. +You can also enable the network protection feature in audit mode. This lets you see a record of which IP addresses and domains would have been blocked if the feature were enabled. You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use. @@ -101,17 +83,12 @@ To enable audit mode, use the following PowerShell cmdlet: ```PowerShell Set-MpPreference -EnableNetworkProtection AuditMode ``` - - >[!TIP] ->If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). +>If you want to fully audit how network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s). You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md). +## Related topics - - - ## Related topics - -- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) +- [Protect your network](network-protection-exploit-guard.md) - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md) - [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md index e7852096d0..ee57054634 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md @@ -14,48 +14,36 @@ ms.author: v-anbic ms.date: 05/30/2018 --- - - # Evaluate Windows Defender Exploit Guard - **Applies to:** - Windows 10, version 1709 and later - Windows Server 2016 - - - - - -Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software. +Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software. Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work. - Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are. - -- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) -- [Evaluate Controlled folder access](evaluate-controlled-folder-access.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Evaluate Network protection](evaluate-network-protection.md) +- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md) +- [Evaluate controlled folder access](evaluate-controlled-folder-access.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Evaluate network protection](evaluate-network-protection.md) You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits: - [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) - - ## Related topics Topic | Description ---|--- -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md) -- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md) -- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) \ No newline at end of file +- [Protect devices from exploits](exploit-protection-exploit-guard.md) +- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) +- [Protect your network](network-protection-exploit-guard.md) +- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md index ceb60ddeb8..fc9d4153fb 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md @@ -15,18 +15,11 @@ ms.author: v-anbic ms.date: 08/08/2018 --- - # View attack surface reduction events - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow. @@ -34,19 +27,19 @@ Reviewing the events is also handy when you are evaluating the features, as you This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events. -You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). +You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md). ## Use custom views to review attack surface reduction capabilities You can create custom views in the Windows Event Viewer to only see events for specific capabilities and settings. -The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page. +The easiest way to do this is to import a custom view as an XML file. You can copy the XML directly from this page. -You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. +You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details. ### Import an existing XML custom view -1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the appropriate file to an easily accessible location. The following filenames are each of the custom views: +1. Create an empty .txt file and copy the XML for the custom view you want to use into the .txt file. Do this for each of the custom views you want to use. Rename the files as follows (ensure you change the type from .txt to .xml): - Controlled folder access events custom view: *cfa-events.xml* - Exploit protection events custom view: *ep-events.xml* - Attack surface reduction events custom view: *asr-events.xml* @@ -82,11 +75,7 @@ You can also manually navigate to the event area that corresponds to the Windows 5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events). - - - - -### XML for Attack surface reduction events +### XML for attack surface reduction rule events ```xml @@ -97,7 +86,7 @@ You can also manually navigate to the event area that corresponds to the Windows ``` -### XML for Controlled folder access events +### XML for controlled folder access events ```xml @@ -108,7 +97,7 @@ You can also manually navigate to the event area that corresponds to the Windows ``` -### XML for Exploit protection events +### XML for exploit protection events ```xml @@ -128,7 +117,7 @@ You can also manually navigate to the event area that corresponds to the Windows ``` -### XML for Network protection events +### XML for network protection events ```xml @@ -140,8 +129,6 @@ You can also manually navigate to the event area that corresponds to the Windows ``` - - ## List of attack surface reduction events @@ -157,30 +144,30 @@ You can access these events in Windows Event viewer: Feature | Provider/source | Event ID | Description :-|:-|:-:|:- -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 1 | ACG audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 2 | ACG enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 3 | Do not allow child processes audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 4 | Do not allow child processes block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 5 | Block low integrity images audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 6 | Block low integrity images block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 7 | Block remote images audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 8 | Block remote images block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 9 | Disable win32k system calls audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 10 | Disable win32k system calls block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 11 | Code integrity guard audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 12 | Code integrity guard block -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 13 | EAF audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 14 | EAF enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 15 | EAF+ audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 16 | EAF+ enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 17 | IAF audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 18 | IAF enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 19 | ROP StackPivot audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 20 | ROP StackPivot enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 21 | ROP CallerCheck audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 22 | ROP CallerCheck enforce -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 23 | ROP SimExec audit -Exploit protection | Security-Mitigations (Kernal Mode/User Mode) | 24 | ROP SimExec enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 1 | ACG audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 2 | ACG enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 3 | Do not allow child processes audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 4 | Do not allow child processes block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 5 | Block low integrity images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 6 | Block low integrity images block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 7 | Block remote images audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 8 | Block remote images block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 9 | Disable win32k system calls audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 10 | Disable win32k system calls block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 11 | Code integrity guard audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 12 | Code integrity guard block +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 13 | EAF audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 14 | EAF enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 15 | EAF+ audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 16 | EAF+ enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 17 | IAF audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 18 | IAF enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 19 | ROP StackPivot audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 20 | ROP StackPivot enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 21 | ROP CallerCheck audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 22 | ROP CallerCheck enforce +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 23 | ROP SimExec audit +Exploit protection | Security-Mitigations (Kernel Mode/User Mode) | 24 | ROP SimExec enforce Exploit protection | WER-Diagnostics | 5 | CFG Block Exploit protection | Win32K (Operational) | 260 | Untrusted Font Network protection | Windows Defender (Operational) | 5007 | Event when settings are changed @@ -193,4 +180,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode -Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode \ No newline at end of file +Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md index 3fa5e1d678..e84b78a8a0 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md @@ -11,51 +11,41 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/29/2018 --- - - -# Protect devices from exploits with with Windows Defender Exploit Guard - +# Protect devices from exploits **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps. -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Exploit protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. +>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. -Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). - You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. + You [configure these settings using the Windows Security app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once. When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. - You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled. + You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled. - Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10. + Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10. >[!IMPORTANT] - >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. + >If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. >[!WARNING] ->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. +>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network. -## Requirements + ## Review exploit protection events in Windows Event Viewer -Windows 10 version | Windows Defender Advanced Threat Protection --|- -Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - - - ## Review Exploit protection events in Windows Event Viewer - -You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app: +You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine. @@ -103,11 +93,11 @@ Win32K | 260 | Untrusted Font ## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard >[!IMPORTANT] ->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP. +>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP. > ->You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. +>You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings. -This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP. +This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP. Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options. @@ -120,45 +110,38 @@ For more information about the individual features and mitigations available in - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) - - - - ## Feature comparison +## Feature comparison The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.   | Windows Defender Exploit Guard | EMET -|:-:|:-: Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)]
    All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)]
    Windows 8.1; Windows 8; Windows 7
    Cannot be installed on Windows 10, version 1709 and later -Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
    (no additional installation required)
    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device -User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training -Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
    [Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
    Ends after July 31, 2018 +Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md)
    (no additional installation required)
    Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device +User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training +Supportability | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)]
    [Part of the Windows 10 support lifecycle](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)]
    Ends after July 31, 2018 Updates | [!include[Check mark yes](images/svg/check-yes.svg)]
    Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)]
    No planned updates or development Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)]
    All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison))
    [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Limited set of mitigations Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md)
    [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Limited ruleset configuration only for modules (no processes) Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Helps protect important folders](controlled-folders-exploit-guard.md)
    [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available -Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Requires installation and use of EMET tool +Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Requires installation and use of EMET tool Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Available Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Requires use of EMET tool (EMET_CONF) -System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available -Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available +System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available +Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Use Intune to customize, deploy, and manage configurations](https://docs.microsoft.com/intune/whats-new#window-defender-exploit-guard-is-a-new-set-of-intrusion-prevention-capabilities-for-windows-10----1063615---) | [!include[Check mark no](images/svg/check-no.svg)]
    Not available Reporting | [!include[Check mark yes](images/svg/check-yes.svg)]
    With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md)
    [Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)]
    Limited Windows event log monitoring Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)]
    [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)]
    Limited to EAF, EAF+, and anti-ROP mitigations - - ([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx). -([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus. - - +([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus. ## Mitigation comparison -The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md). +The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md). -The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection. +The table in this section indicates the availability and support of native mitigations between EMET and exploit protection. Mitigation | Available in Windows Defender Exploit Guard | Available in EMET -|:-:|:-: @@ -186,11 +169,6 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)] - - - - - >[!NOTE] >The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process. > @@ -199,10 +177,10 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Enable Exploit protection](enable-exploit-protection.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index 2da48a5d94..99eb36540f 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -1,5 +1,5 @@ --- -title: Deploy Exploit protection mitigations across your organization +title: Deploy exploit protection mitigations across your organization keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration. search.product: eADQiWindows 10XVcnh @@ -14,67 +14,41 @@ ms.author: v-anbic ms.date: 04/30/2018 --- - - -# Import, export, and deploy Exploit protection configurations - +# Import, export, and deploy exploit protection configurations **Applies to:** - -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - - - - - - - - - - - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). -Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit protection. +Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/security/jj653751) are now included in exploit protection. -You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. +You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings. -You can also convert and import an existing EMET configuration XML file into an Exploit protection configuration XML. +You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML. This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration. -The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic. - - +The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic. ## Create and export a configuration file Before you export a configuration file, you need to ensure you have the correct settings. -You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instructions for configuring mitigations. +You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations. -When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell. +When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell. +### Use the Windows Security app to export a configuration file - - -### Use the Windows Defender Security Center app to export a configuration file - - -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. +1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**: - ![Highlight of the Exploit protection settings option in the Windows Defender Security Center app](images/wdsc-exp-prot.png) + ![Highlight of the Exploit protection settings option in the Windows Security app](images/wdsc-exp-prot.png) 3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved. @@ -83,7 +57,6 @@ When you have configured Exploit protection to your desired state (including bot >[!NOTE] >When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings. - ### Use PowerShell to export a configuration file 1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator** @@ -98,12 +71,11 @@ Change `filename` to any name or location of your choosing. > [!IMPORTANT] > When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. - ## Import a configuration file -You can import an Exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file. +You can import an exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file. -After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app. +After importing, the settings will be instantly applied and can be reviewed in the Windows Security app. ### Use PowerShell to import a configuration file @@ -115,16 +87,16 @@ After importing, the settings will be instantly applied and can be reviewed in t Set-ProcessMitigation -PolicyFilePath filename.xml ``` -Change `filename` to the location and name of the Exploit protection XML file. +Change `filename` to the location and name of the exploit protection XML file. >[!IMPORTANT] > ->Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first. +>Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first. -## Convert an EMET configuration file to an Exploit protection configuration file +## Convert an EMET configuration file to an exploit protection configuration file -You can convert an existing EMET configuration file to the new format used by Exploit protection. You must do this if you want to import an EMET configuration into Exploit protection in Windows 10. +You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10. You can only do this conversion in PowerShell. @@ -178,13 +150,13 @@ You can use Group Policy to deploy the configuration you've created to multiple - \\\Server\Share\Config.xml - https://localhost:8080/Config.xml -8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). ## Related topics - [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Enable Exploit protection](enable-exploit-protection.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index a24d063a73..11ff56a123 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -14,14 +14,11 @@ ms.author: iawilt ms.date: 08/09/2018 --- - - # Memory integrity - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md index 65be3c2ceb..b6ef34d2fc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md @@ -1,5 +1,5 @@ --- -title: Use Network protection to help prevent connections to bad sites +title: Use network protection to help prevent connections to bad sites description: Protect your network by preventing users from accessing known malicious and suspicious network addresses keywords: Network protection, exploits, malicious website, ip, domain, domains search.product: eADQiWindows 10XVcnh @@ -11,30 +11,27 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 08/09/2018 +ms.date: 11/29/2018 --- - - -# Protect your network with Windows Defender Exploit Guard +# Protect your network **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). -It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). +Network protection is supported on Windows 10, version 1709 and later and Windows Server 2016, version 1803 or later. >[!TIP] ->You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. - +>You can visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). -When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. +When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors. You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled. @@ -46,38 +43,37 @@ Windows 10 version | Windows Defender Antivirus - | - Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled +## Review network protection events in the Windows Defender ATP Security Center -## Review Network protection events in Windows Event Viewer +Windows Defender ATP provides detailed reporting into events and blocks as part of its [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). +You can query Windows Defender ATP data by using [Advanced hunting](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection). If you're using [audit mode](audit-windows-defender-exploit-guard.md), you can use Advanced hunting to see how network protection settings would affect your environment if they were enabled. -You can review the Windows event log to see events that are created when Network protection blocks (or audits) access to a malicious IP or domain: +## Review network protection events in Windows Event Viewer + +You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain: 1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine. 1. Type **Event viewer** in the Start menu to open the Windows Event Viewer. 2. On the left panel, under **Actions**, click **Import custom view...** - - ![Antimation of the import custom view option](images/events-import.gif) - + 3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md). 4. Click **OK**. -5. This will create a custom view that filters to only show the following events related to Network protection: +5. This will create a custom view that filters to only show the following events related to network protection: Event ID | Description -|- 5007 | Event when settings are changed -1125 | Event when Network protection fires in Audit-mode -1126 | Event when Network protection fires in Block-mode - - - +1125 | Event when network protection fires in audit mode +1126 | Event when network protection fires in block mode ## In this section Topic | Description ---|--- -[Evaluate Network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. -[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network. +[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created. +[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index dc50235f04..640fe4cc29 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,5 +1,5 @@ --- -title: Requirements and deployment planning guidelines for irtualization-based protection of code integrity (Windows 10) +title: Requirements and deployment planning guidelines for virtualization-based protection of code integrity (Windows 10) description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. keywords: virtualization, security, malware ms.prod: w10 @@ -13,7 +13,7 @@ ms.date: 10/20/2017 **Applies to** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. @@ -33,9 +33,9 @@ The following tables provide more information about the hardware, firmware, and |--------------------------------|----------------------------------------------------|-------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | | Hardware: **CPU virtualization extensions**,
    plus **extended page tables** | These hardware features are required for VBS:
    One of the following virtualization extensions:
    • VT-x (Intel) or
    • AMD-V
    And:
    • Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | -| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://docs.microsoft.com/windows-hardware/design/compatibility/filter#filterdriverdeviceguarddrivercompatibility).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | +| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

    Important:
    Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

    | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. | > **Important**  The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide. @@ -58,7 +58,7 @@ The following tables describe additional hardware and firmware qualifications, a | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby)
    • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/en-us/windows-hardware/design/compatibility/whcp-specifications-policies).
    • The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
    • HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | | Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
    • Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
    • Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md index a2e9bc9fb3..5711270ae7 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md @@ -1,5 +1,5 @@ --- -title: Troubleshoot problems with Attack surface reduction rules +title: Troubleshoot problems with attack surface reduction rules description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking search.product: eADQiWindows 10XVcnh @@ -11,26 +11,20 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 05/17/2018 +ms.date: 09/18/2018 --- -# Troubleshoot Attack surface reduction rules +# Troubleshoot attack surface reduction rules **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - - -- IT administrators - -When you use [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: +When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as: - A rule blocks a file, process, or performs some other action that it should not (false positive) - A rule does not work as described, or does not block a file or process that it should (false negative) - - There are four steps to troubleshooting these problems: 1. Confirm that you have met all pre-requisites @@ -38,11 +32,9 @@ There are four steps to troubleshooting these problems: 3. Add exclusions for the specified rule (for false positives) 3. Submit support logs - - ## Confirm pre-requisites -Attack surface reduction (ASR) will only work on devices with the following conditions: +Attack surface reduction rules will only work on devices with the following conditions: >[!div class="checklist"] > - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update). @@ -50,47 +42,44 @@ Attack surface reduction (ASR) will only work on devices with the following cond > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). - If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. ## Use audit mode to test the rule There are two ways that you can test if the rule is working. -You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only. +You can use a pre-configured demo tool to confirm attack surface reduction rules are generally working on the device, or you can use audit mode, which enables rules for reporting only. -The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly. +The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the attack surface reduction rule feature as a whole is operating correctly. If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites). -You should follow the instructions in the section [Use the demo tool to see how ASR works](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with. +Follow the instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with. >[!TIP] ->While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. +>While the instructions for using the demo tool are intended for evaluating or seeing how attack surface reduction rules work, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature. Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run. -1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). +1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules). 2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed). -3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. - +3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**. >[!TIP] >Audit mode will stop the rule from blocking the file or process. > >If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled. > ->Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed. +>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed. +If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: -If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation: - -1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive). -2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data). +1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive). +2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data). ## Add exclusions for a false positive -You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders. +You can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders. This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us. @@ -101,12 +90,11 @@ To add an exclusion, see the [Customize Attack surface reduction](customize-atta > >This means any files or folders that are excluded will be excluded from all ASR rules. - If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us. ## Collect diagnostic data -You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with ASR. +You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with attack surface reduction rules. When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). @@ -115,14 +103,8 @@ You must also attach associated files in a .zip file (such as the file or execut Follow the link below for instructions on how to collect the .cab file: > [!div class="nextstepaction"] -> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md) - - - - - +> [Collect and submit diagnostic data](collect-cab-files-exploit-guard-submission.md) ## Related topics -- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) -- [Attack surface reduction](attack-surface-reduction-exploit-guard.md) +- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md index 28b500c5c9..ede76cf20a 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md @@ -1,5 +1,5 @@ --- -title: Deploy Exploit protection mitigations across your organization +title: Deploy exploit protection mitigations across your organization keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install description: Remove unwanted Exploit protection mitigations. search.product: eADQiWindows 10XVcnh @@ -14,30 +14,15 @@ ms.author: v-anbic ms.date: 08/09/2018 --- - - -# Troubleshoot Exploit protection mitigations - +# Troubleshoot exploit protection mitigations **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) +When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. - - - - - - - - - - - -When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations. - -You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead. +You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead. 1. Remove all process mitigations with this PowerShell script: @@ -208,9 +193,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu ## Related topics -- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md) +- [Protect devices from exploits](exploit-protection-exploit-guard.md) - [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md) -- [Evaluate Exploit protection](evaluate-exploit-protection.md) -- [Enable Exploit protection](enable-exploit-protection.md) -- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md) -- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md) +- [Evaluate exploit protection](evaluate-exploit-protection.md) +- [Enable exploit protection](enable-exploit-protection.md) +- [Configure and audit exploit protection mitigations](customize-exploit-protection.md) +- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 3019dd13f6..b091e01721 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -14,13 +14,11 @@ ms.author: v-anbic ms.date: 08/09/2018 --- -# Troubleshoot Network protection +# Troubleshoot network protection **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) - IT administrators @@ -29,8 +27,6 @@ When you use [Network protection](network-protection-exploit-guard.md) you may e - Network protection blocks a website that is safe (false positive) - Network protection fails to block a suspicious or known malicious website (false negative) - - There are four steps to troubleshooting these problems: 1. Confirm that you have met all pre-requisites @@ -38,19 +34,16 @@ There are four steps to troubleshooting these problems: 3. Add exclusions for the specified rule (for false positives) 3. Submit support logs - - ## Confirm pre-requisites -Windows Defender Exploit Guard will only work on devices with the following conditions: +Network protection will only work on devices with the following conditions: >[!div class="checklist"] > - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update). > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled. > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled. -> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). - +> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode. @@ -58,33 +51,33 @@ If these pre-requisites have all been met, proceed to the next step to test the There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode. -You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions. +You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions. If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites). >[!TIP] ->While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. +>While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem. -You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run. +You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run. -1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). +1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection). 2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block). -3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. +3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**. >[!IMPORTANT] ->Audit mode will stop Network protection from blocking known malicious connections. +>Audit mode will stop network protection from blocking known malicious connections. > ->If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. +>If network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled. > >Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed. -If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. +If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address. ## Report a false positive or false negative -You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with Network protection. +You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with network protection. When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one). @@ -93,11 +86,6 @@ You can also attach a diagnostic .cab file to your submission if you wish (this > [!div class="nextstepaction"] > [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md) - - - - - ## Related topics - [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md index 1613918bd9..bdf4311dfe 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md @@ -14,19 +14,11 @@ ms.author: v-anbic ms.date: 08/09/2018 --- - - # Windows Defender Exploit Guard - **Applies to:** -- Windows Defender Advanced Threat Protection (Windows Defender ATP) - - - - - +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf) Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees. @@ -51,9 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work. -Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. +Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies. -You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. +You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works. ## Requirements @@ -63,13 +55,12 @@ This section covers requirements for each feature in Windows Defender EG. |--------|---------| | ![not supported](./images/ball_empty.png) | Not supported | | ![supported](./images/ball_50.png) | Supported | -| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| - +| ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.| | Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 | | ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | | Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | -| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | +| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) | | Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | | Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) | @@ -78,7 +69,7 @@ The following table lists which features in Windows Defender EG require enabling | Feature | Real-time protection | |-----------------| ------------------------------------ | | Exploit protection | No requirement | -| Attack surface reduction | Must be enabled | +| Attack surface reduction rules | Must be enabled | | Network protection | Must be enabled | | Controlled folder access | Must be enabled | @@ -87,8 +78,8 @@ The following table lists which features in Windows Defender EG require enabling Topic | Description ---|--- [Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once. -[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. +[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts. [Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors. -[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. +[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data. diff --git a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png index bf7a3e3910..a60f5edbab 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png and b/windows/security/threat-protection/windows-defender-security-center/images/security-center-custom-flyout.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png index 98083a937c..68b94302a1 100644 Binary files a/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png and b/windows/security/threat-protection/windows-defender-security-center/images/wdsc-all-hide.png differ diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index 4dad649653..eb6433dadd 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -1,5 +1,5 @@ --- -title: Account protection in the Windows Defender Security Center app +title: Account protection in the Windows Security app description: Use the Account protection section to manage security for your account and sign in to Microsoft. keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh @@ -25,15 +25,15 @@ ms.date: 04/30/2018 The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: - [Microsoft Account](https://account.microsoft.com/account/faq) -- [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification) -- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/en-us/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) +- [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification) +- [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. ## Hide the Account protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -46,13 +46,13 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Account protection**. +5. Expand the tree to **Windows components > Windows Security > Account protection**. 6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index aa52a93e41..f8a95593d9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -1,5 +1,5 @@ --- -title: App & browser control in the Windows Defender Security Center app +title: App & browser control in the Windows Security app description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings. keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh @@ -22,7 +22,7 @@ ms.date: 04/30/2018 - Windows 10, version 1703 and later -The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). +The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](https://docs.microsoft.com/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). In Windows 10, version 1709 and later, the section also provides configuration options for Exploit protection. You can prevent users from modifying these specific options with Group Policy. IT administrators can get more information at the [Exploit protection](../windows-defender-exploit-guard/exploit-protection-exploit-guard.md) topic in the Windows Defender Exploit Guard library. @@ -44,15 +44,15 @@ You can only prevent users from modifying Exploit protection settings by using G 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**. +5. Expand the tree to **Windows components > Windows Security > App and browser protection**. 6. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). ## Hide the App & browser control section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -65,13 +65,13 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**. +5. Expand the tree to **Windows components > Windows Security > App and browser protection**. 6. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index b528a224eb..30cc2c355d 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -1,5 +1,5 @@ --- -title: Customize Windows Defender Security Center contact information +title: Customize Windows Security contact information description: Provide information to your employees on how to contact your IT department when a security issue occurs keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ ms.author: v-anbic ms.date: 04/30/2018 --- -# Customize the Windows Defender Security Center app for your organization +# Customize the Windows Security app for your organization **Applies to** @@ -28,7 +28,7 @@ ms.date: 04/30/2018 - Group Policy -You can add information about your organization in a contact card to the Windows Defender Security Center app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. +You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support. ![](images/security-center-custom-flyout.png) @@ -56,7 +56,7 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**. +5. Expand the tree to **Windows components > Windows Security > Enterprise Customization**. 6. You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other: diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 67d58174c1..83258123af 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -1,5 +1,5 @@ --- -title: Device & performance health in the Windows Defender Security Center app +title: Device & performance health in the Windows Security app description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status search.product: eADQiWindows 10XVcnh @@ -22,9 +22,9 @@ ms.date: 04/30/2018 - Windows 10, version 1703 and later -The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/en-us/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/en-us/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). +The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](https://docs.microsoft.com/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using System Center Configuration Manager](https://docs.microsoft.com/windows/deployment/deploy-windows-sccm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). -The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/en-us/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/en-us/windows/windows-10/) can also be helpful for resolving issues. +The [Windows 10 IT pro troubleshooting topic](https://docs.microsoft.com/windows/client-management/windows-10-support-solutions), and the main [Windows 10 documentation library](https://docs.microsoft.com/windows/windows-10/) can also be helpful for resolving issues. In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. @@ -32,7 +32,7 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t ## Hide the Device performance & health section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -45,13 +45,13 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Device performance and health**. +5. Expand the tree to **Windows components > Windows Security > Device performance and health**. 6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index 64af9bb9d8..5df35a849e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -1,5 +1,5 @@ --- -title: Device security in the Windows Defender Security Center app +title: Device security in the Windows Security app description: Use the Device security section to manage security built into your device, including virtualization-based security. keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh @@ -11,25 +11,22 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- - # Device security **Applies to** - Windows 10, version 1803 and later - -The **Device security** section contains information and settings for built-in device security. +The **Device security** section contains information and settings for built-in device security. You can choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. - ## Hide the Device security section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -40,15 +37,59 @@ This can only be done in Group Policy. 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Device security**. +3. Expand the tree to **Windows components > Windows Security > Device security**. -6. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**. +4. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) + +## Disable the Clear TPM button +If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it. + +>[!IMPORTANT] +>### Requirements +> +>You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Security > Device security**. + +4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Click **OK**. + +5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). + +## Hide the TPM Firmware Update recommendation +If you don't want users to see the recommendation to update TPM firmware, you can disable it. + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Security > Device security**. + +4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Click **OK**. + +5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). + +## Disable Memory integrity switch +If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting on their computers, you can disable the **Memory integrity** switch. + +1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. + +2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. + +3. Expand the tree to **Windows components > Windows Security > Device security**. + +4. Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Click **OK**. + +5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 47bf08fc3f..cc7706945e 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -1,5 +1,5 @@ --- -title: Family options in the Windows Defender Security Center app +title: Family options in the Windows Security app description: Hide the Family options section in enterprise environments keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time search.product: eADQiWindows 10XVcnh @@ -24,14 +24,14 @@ ms.date: 04/30/2018 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments. -Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender) +Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/help/4013209/windows-10-protect-your-family-online-in-windows-defender) In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to this section. ## Hide the Family options section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -44,13 +44,13 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Family options**. +5. Expand the tree to **Windows components > Windows Security > Family options**. 6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 06fbec6d1e..1aea2d2d26 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -1,5 +1,5 @@ --- -title: Firewall and network protection in the Windows Defender Security Center app +title: Firewall and network protection in the Windows Security app description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine. keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall search.product: eADQiWindows 10XVcnh @@ -29,7 +29,7 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t ## Hide the Firewall & network protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -42,7 +42,7 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Firewall and network protection**. +5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**. 6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**. @@ -51,5 +51,5 @@ This can only be done in Group Policy. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 551ce1779b..b936dc1dcb 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -1,6 +1,6 @@ --- -title: Hide notifications from the Windows Defender Security Center app -description: Prevent Windows Defender Security Center app notifications from appearing on user endpoints +title: Hide notifications from the Windows Security app +description: Prevent Windows Security app notifications from appearing on user endpoints keywords: defender, security center, app, notifications, av, alerts search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -14,7 +14,7 @@ ms.author: v-anbic ms.date: 04/30/2018 --- -# Hide Windows Defender Security Center app notifications +# Hide Windows Security app notifications **Applies to** @@ -28,7 +28,7 @@ ms.date: 04/30/2018 - Group Policy -The Windows Defender Security Center app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. +The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization. @@ -58,16 +58,16 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Notifications**. +5. Expand the tree to **Windows components > Windows Security > Notifications**. 6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). ## Use Group Policy to hide all notifications -You can hide all notifications that are sourced from the Windows Defender Security Center app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input. +You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input. This can only be done in Group Policy. @@ -80,8 +80,8 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Notifications**. +5. Expand the tree to **Windows components > Windows Security > Notifications**. 6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). \ No newline at end of file +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 5d7d2ce96b..f4ee73535b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -1,5 +1,5 @@ --- -title: Virus and threat protection in the Windows Defender Security Center app +title: Virus and threat protection in the Windows Security app description: Use the Virus & threat protection section to see and configure Windows Defender Antivirus, Controlled folder access, and 3rd-party AV products. keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide search.product: eADQiWindows 10XVcnh @@ -28,9 +28,9 @@ In Windows 10, version 1803, this section also contains information and settings IT administrators and IT pros can get more information and documentation about configuration from the following: -- [Windows Defender Antivirus in the Windows Defender Security Center app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md) +- [Windows Defender Antivirus in the Windows Security app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md) - [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) -- [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) +- [Protect important folders with Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) - [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/) - [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a) - [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) @@ -40,7 +40,7 @@ You can choose to hide the **Virus & threat protection** section or the **Ransom ## Hide the Virus & threat protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. This can only be done in Group Policy. @@ -53,20 +53,20 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**. +5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**. 6. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) ## Hide the Ransomware protection area -You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Defender Security Center app. +You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Security app. This can only be done in Group Policy. @@ -79,8 +79,8 @@ This can only be done in Group Policy. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. -5. Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**. +5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**. 6. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx). +7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index a4423252ca..f13658dab4 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -1,6 +1,6 @@ --- -title: Manage Windows Defender Security Center in Windows 10 in S mode -description: Windows Defender Security Center settings are different in Windows 10 in S mode +title: Manage Windows Security in Windows 10 in S mode +description: Windows Security settings are different in Windows 10 in S mode keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -14,7 +14,7 @@ ms.author: v-anbic ms.date: 04/30/2018 --- -# Manage Windows Defender Security Center in Windows 10 in S mode +# Manage Windows Security in Windows 10 in S mode **Applies to** @@ -30,15 +30,15 @@ ms.date: 04/30/2018 Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. -The Windows Defender Security Center interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. +The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Defender Security Center app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) -For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode). +For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode). -##Managing Windows Defender Security Center settings with Intune +##Managing Windows Security settings with Intune In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts. -For information about using Intune to manage Windows Defender Security Center settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/en-us/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10). +For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/intune/endpoint-protection-windows-10). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index c98c737aad..60a0d3278b 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -1,6 +1,6 @@ --- -title: The Windows Defender Security Center app -description: The Windows Defender Security Center app brings together common Windows security features into one place +title: The Windows Security app +description: The Windows Security app brings together common Windows security features into one place keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -11,117 +11,105 @@ ms.pagetype: security ms.localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 04/30/2018 +ms.date: 10/02/2018 --- -# The Windows Defender Security Center app +# The Windows Security app **Applies to** - Windows 10, version 1703 and later - - - -In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps. - -In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. - - -![Screen shot of the Windows Defender Security Center app showing that the device is protected and five icons for each of the features](images/security-center-home.png) - - - -In Windows 10, version 1709, we increased the scope of the app to also show information from third-party antivirus and firewall apps. - ->[!NOTE] ->The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -This library describes the Windows Defender Security Center app, and provides information on configuring certain features, including: +This library describes the Windows Security app, and provides information on configuring certain features, including: - [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md) - [Hiding notifications](wdsc-hide-notifications.md) -You can't uninstall the Windows Defender Security Center app, but you can do one of the following: +In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps. -- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). +In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**. + +![Screen shot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png) + +>[!NOTE] +>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +You can't uninstall the Windows Security app, but you can do one of the following: + +- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016). - Hide all of the sections on client computers (see below). -- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +- Disable Windows Defender Antivirus, if needed. See [Enable and configure Windows Defender AV always-on protection and monitoring](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). You can find more information about each section, including options for configuring the sections - such as hiding each of the sections - at the following topics: - [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive. -- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. +- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings. - [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall. - [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations. - [Device security](wdsc-device-security.md), which provides access to built-in device security settings. -- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues. +- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues. - [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online. >[!NOTE] >If you hide all sections then the app will show a restricted interface, as in the following screenshot: > ->![Windows Defender Security Center app with all sections hidden by Group Policy](images/wdsc-all-hide.png) +>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png) - - - - -## Open the Windows Defender Security Center app +## Open the Windows Security app - Click the icon in the notification area on the taskbar. - ![Screen shot of the icon for the Windows Defender Security Center app on the Windows task bar](images/security-center-taskbar.png) -- Search the Start menu for **Windows Defender Security Center**. + ![Screen shot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png) +- Search the Start menu for **Windows Security**. - ![Screen shot of the Start menu showing the results of a search for the Windows Defender Security Center app, the first option with a large shield symbol is selected](images/security-center-start-menu.png) + ![Screen shot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png) - Open an area from Windows **Settings**. - ![Screen shot of Windows Settings showing the different areas available in the Windows Defender Security Center](images/settings-windows-defender-security-center-areas.png) + ![Screen shot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png) > [!NOTE] -> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. See the topics for each of the sections for links to configuring the associated features or products. +> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products. -## How the Windows Defender Security Center app works with Windows security features +## How the Windows Security app works with Windows security features >[!IMPORTANT] ->Windows Defender AV and the Windows Defender Security Center app use similarly named services for specific purposes. +>Windows Defender AV and the Windows Security app use similarly named services for specific purposes. > ->The Windows Defender Security Center app uses the Windows Defender Security Center Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. +>The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection. > >These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product. > >Windows Defender AV will be [disabled automatically when a third-party antivirus product is installed and kept up to date](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md). > ->Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). +>Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). > [!WARNING] -> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. +> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device. > >It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed. > >This will significantly lower the protection of your device and could lead to malware infection. -The Windows Defender Security Center app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. +The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center. It acts as a collector or single place to see the status and perform some configuration for each of the features. -Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center app. The Windows Defender Security Center app itself will still run and show status for the other security features. +Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features. > [!IMPORTANT] -> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center app. +> Individually disabling any of the services will not disable the other services or the Windows Security app. -For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Defender Security Center app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. +For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall. diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index bc843023a7..00899f714f 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -48,7 +48,7 @@ Windows Defender SmartScreen helps to provide an early warning system against we - **Management through Group Policy and Microsoft Intune.** SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md). ## Viewing Windows Defender SmartScreen anti-phishing events -When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/en-us/scriptcenter/dd565657(v=msdn.10).aspx). +When Windows Defender SmartScreen warns or blocks an employee from a website, it's logged as [Event 1035 - Anti-Phishing](https://technet.microsoft.com/scriptcenter/dd565657(v=msdn.10).aspx). ## Related topics - [SmartScreen Frequently Asked Questions (FAQ)](https://feedback.smartscreen.microsoft.com/smartscreenfaq.aspx) diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index 11e79cb879..f11f1ad904 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -1,6 +1,6 @@ --- title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) -description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices. +description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Security to set Windows Defender SmartScreen for individual devices. keywords: SmartScreen Filter, Windows SmartScreen ms.prod: w10 ms.mktglfcycl: explore @@ -19,14 +19,14 @@ ms.date: 10/13/2017 Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files. -## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen -Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. +## How employees can use Windows Security to set up Windows Defender SmartScreen +Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it. >[!NOTE] >If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee. -**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device** -1. Open the Windows Defender Security Center app, and then click **App & browser control**. +**To use Windows Security to set up Windows Defender SmartScreen on a device** +1. Open the Windows Security app, and then click **App & browser control**. 2. In the **App & browser control** screen, choose from the following options: @@ -52,7 +52,7 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S - **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files. - ![Windows Defender Security Center, SmartScreen controls](images/windows-defender-smartscreen-control.png) + ![Windows Security, SmartScreen controls](images/windows-defender-smartscreen-control.png) ## How SmartScreen works when an employee tries to run an app Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization. diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md new file mode 100644 index 0000000000..8371aff1a9 --- /dev/null +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -0,0 +1,169 @@ +--- +title: Common Criteria Certifications +description: This topic details how Microsoft supports the Common Criteria certification program. +ms.prod: w10 +ms.localizationpriority: medium +ms.author: daniha +author: danihalfin +ms.date: 10/8/2018 +--- + +# Common Criteria Certifications + +Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products. + +## Common Criteria Security Targets + +### Information for Systems Integrators and Accreditors + +The Security Target describes security functionality and assurance measures used to evaluate Windows. + + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) + - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) + - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) + - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) + - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) + - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) + - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) + - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) + - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) + +## Common Criteria Deployment and Administration + +### Information for IT Administrators + +These documents describe how to configure Windows to replicate the configuration used during the Common Criteria evaluation. + +**Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** + + + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) + - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) + - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) + - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) + +**Windows 8.1 and Windows Phone 8.1** + + - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) + - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) + +**Windows 8, Windows RT, and Windows Server 2012** + + - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) + - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) + - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) + +**Windows 7 and Windows Server 2008 R2** + + - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) + - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) + +**Windows Vista and Windows Server 2008** + + - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) + - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) + +**Windows Server 2003 SP2 including R2, x64, and Itanium** + + - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) + - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) + +**Windows Server 2003 SP1(x86), x64, and IA64** + + - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) + - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) + +**Windows Server 2003 SP1** + + - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) + - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) + +**Windows XP Professional SP2 (x86) and x64 Edition** + + - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) + - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) + - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) + - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) + - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) + - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) + +**Windows XP Professional SP2, and XP Embedded SP2** + + - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) + - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) + - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) + +**Windows Server 2003 Certificate Server** + + - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) + - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) + - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) + +## Common Criteria Evaluation Technical Reports and Certification / Validation Reports + +### Information for Systems Integrators and Accreditors + +An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. + + - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) + - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) + - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) + - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) + - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) + - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) + - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) + - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) + - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) + - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) + - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) + - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) + - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) + - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) + - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) + - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) + - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) + - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) + - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) + - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) + - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) + - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) + - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) + - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) + - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) + - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) + - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) + - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) + +## Other Common Criteria Related Documents + + - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) + diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md index acd9ab7b9e..efe30a1df5 100644 --- a/windows/security/threat-protection/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-baselines.md @@ -16,6 +16,7 @@ ms.date: 06/25/2018 - Windows 10 - Windows Server 2016 +- Office 2016 ## Using security baselines in your organization diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md index 22e6c40651..6c8ae105ee 100644 --- a/windows/whats-new/TOC.md +++ b/windows/whats-new/TOC.md @@ -1,4 +1,5 @@ # [What's new in Windows 10](index.md) +## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) ## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) ## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) ## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 34346b0e9c..12dd2d0312 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -36,7 +36,6 @@ "ms.technology": "windows", "ms.topic": "article", "ms.author": "trudyha", - "ms.date": "04/05/2017", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", diff --git a/windows/whats-new/images/1_AppBrowser.png b/windows/whats-new/images/1_AppBrowser.png new file mode 100644 index 0000000000..6e1f32e389 Binary files /dev/null and b/windows/whats-new/images/1_AppBrowser.png differ diff --git a/windows/whats-new/images/2_InstallWDAG.png b/windows/whats-new/images/2_InstallWDAG.png new file mode 100644 index 0000000000..e45f714a35 Binary files /dev/null and b/windows/whats-new/images/2_InstallWDAG.png differ diff --git a/windows/whats-new/images/3_ChangeSettings.png b/windows/whats-new/images/3_ChangeSettings.png new file mode 100644 index 0000000000..968eb0c3c0 Binary files /dev/null and b/windows/whats-new/images/3_ChangeSettings.png differ diff --git a/windows/whats-new/images/4_ViewSettings.jpg b/windows/whats-new/images/4_ViewSettings.jpg new file mode 100644 index 0000000000..72ee4db754 Binary files /dev/null and b/windows/whats-new/images/4_ViewSettings.jpg differ diff --git a/windows/whats-new/images/Defender.png b/windows/whats-new/images/Defender.png new file mode 100644 index 0000000000..1d14812242 Binary files /dev/null and b/windows/whats-new/images/Defender.png differ diff --git a/windows/whats-new/images/FastSignIn.png b/windows/whats-new/images/FastSignIn.png new file mode 100644 index 0000000000..1bd763dbea Binary files /dev/null and b/windows/whats-new/images/FastSignIn.png differ diff --git a/windows/whats-new/images/Multi-app_kiosk_inFrame.png b/windows/whats-new/images/Multi-app_kiosk_inFrame.png new file mode 100644 index 0000000000..7a1928501e Binary files /dev/null and b/windows/whats-new/images/Multi-app_kiosk_inFrame.png differ diff --git a/windows/whats-new/images/Normal_inFrame.png b/windows/whats-new/images/Normal_inFrame.png new file mode 100644 index 0000000000..8d0559d0ee Binary files /dev/null and b/windows/whats-new/images/Normal_inFrame.png differ diff --git a/windows/whats-new/images/RDPwBio2.png b/windows/whats-new/images/RDPwBio2.png new file mode 100644 index 0000000000..6cffe649fe Binary files /dev/null and b/windows/whats-new/images/RDPwBio2.png differ diff --git a/windows/whats-new/images/RDPwBioTime.png b/windows/whats-new/images/RDPwBioTime.png new file mode 100644 index 0000000000..d3007e8279 Binary files /dev/null and b/windows/whats-new/images/RDPwBioTime.png differ diff --git a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png new file mode 100644 index 0000000000..f329d74d3e Binary files /dev/null and b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png differ diff --git a/windows/whats-new/images/WebSignIn.png b/windows/whats-new/images/WebSignIn.png new file mode 100644 index 0000000000..70d3837e85 Binary files /dev/null and b/windows/whats-new/images/WebSignIn.png differ diff --git a/windows/whats-new/images/beaming.png b/windows/whats-new/images/beaming.png new file mode 100644 index 0000000000..096c1d43f4 Binary files /dev/null and b/windows/whats-new/images/beaming.png differ diff --git a/windows/whats-new/images/block-suspicious-behaviors.png b/windows/whats-new/images/block-suspicious-behaviors.png new file mode 100644 index 0000000000..31a2cf5727 Binary files /dev/null and b/windows/whats-new/images/block-suspicious-behaviors.png differ diff --git a/windows/whats-new/images/hyper-v.png b/windows/whats-new/images/hyper-v.png new file mode 100644 index 0000000000..27f482a6dd Binary files /dev/null and b/windows/whats-new/images/hyper-v.png differ diff --git a/windows/whats-new/images/kiosk-mode.PNG b/windows/whats-new/images/kiosk-mode.PNG new file mode 100644 index 0000000000..57c420a9c2 Binary files /dev/null and b/windows/whats-new/images/kiosk-mode.PNG differ diff --git a/windows/whats-new/images/regeditor.png b/windows/whats-new/images/regeditor.png new file mode 100644 index 0000000000..947718ee80 Binary files /dev/null and b/windows/whats-new/images/regeditor.png differ diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png new file mode 100644 index 0000000000..f5fd5287bc Binary files /dev/null and b/windows/whats-new/images/virus-and-threat-protection.png differ diff --git a/windows/whats-new/images/your-phone.png b/windows/whats-new/images/your-phone.png new file mode 100644 index 0000000000..708c6c004a Binary files /dev/null and b/windows/whats-new/images/your-phone.png differ diff --git a/windows/whats-new/index.md b/windows/whats-new/index.md index e37e313557..12fae68091 100644 --- a/windows/whats-new/index.md +++ b/windows/whats-new/index.md @@ -16,6 +16,7 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## In this section +- [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md) - [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md) - [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md) - [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md) @@ -28,8 +29,8 @@ Windows 10 provides IT professionals with advanced protection against modern sec ## Learn more - [Windows 10 roadmap](https://www.microsoft.com/en-us/WindowsForBusiness/windows-roadmap) -- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info) -- [Windows 10 update history](https://support.microsoft.com/en-us/help/12387/windows-10-update-history) +- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) +- [Windows 10 update history](https://support.microsoft.com/help/12387/windows-10-update-history) - [Windows 10 content from Microsoft Ignite](https://go.microsoft.com/fwlink/p/?LinkId=613210) - [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkId=690485) diff --git a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md index 7a67f0f951..33588a5731 100644 --- a/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md +++ b/windows/whats-new/whats-new-windows-10-version-1507-and-1511.md @@ -15,7 +15,7 @@ ms.date: 10/16/2017 Below is a list of some of the new and updated features included in the initial release of Windows 10 (version 1507) and the Windows 10 update to version 1511. >[!NOTE] ->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).   ## Deployment @@ -291,11 +291,11 @@ Do you need a computer that can only do one thing? For example: - A device that a temporary worker uses to enter data. -You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/en-us/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. +You can configure a persistent locked down state to [create a kiosk-type device](https://technet.microsoft.com/itpro/windows/manage/set-up-a-device-for-anyone-to-use). When the locked-down account is logged on, the device displays only the app that you select. -You can also [configure a lockdown state](https://technet.microsoft.com/en-us/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. +You can also [configure a lockdown state](https://technet.microsoft.com/itpro/windows/manage/lock-down-windows-10-to-specific-apps) that takes effect when a given user account logs on. The lockdown restricts the user to only the apps that you specify. -Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/en-us/itpro/windows/manage/windows-10-start-layout-options-and-policies). +Lockdown settings can also be configured for device look and feel, such as a theme or a [custom layout on the Start screen](https://technet.microsoft.com/itpro/windows/manage/windows-10-start-layout-options-and-policies). ### Customized Start layout diff --git a/windows/whats-new/whats-new-windows-10-version-1607.md b/windows/whats-new/whats-new-windows-10-version-1607.md index b296cc0cdf..55c81fa1cf 100644 --- a/windows/whats-new/whats-new-windows-10-version-1607.md +++ b/windows/whats-new/whats-new-windows-10-version-1607.md @@ -15,7 +15,7 @@ ms.date: 10/16/2017 Below is a list of some of the new and updated features in Windows 10, version 1607 (also known as the Anniversary Update). >[!NOTE] ->For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). +>For release dates and servicing options for each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info).    ## Deployment @@ -27,7 +27,7 @@ Windows ICD now includes simplified workflows for creating provisioning packages - [Simple provisioning to set up common settings for Active Directory-joined devices](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) - [Advanced provisioning to deploy certificates and apps](/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates) -- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain) +- [School provisioning to set up classroom devices for Active Directory](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) [Learn more about using provisioning packages in Windows 10.](/windows/configuration/provisioning-packages/provisioning-packages) @@ -83,7 +83,7 @@ Additional changes for Windows Hello in Windows 10, version 1607: - The VPN client can integrate with the Conditional Access Framework, a cloud-based policy engine built into Azure Active Directory, to provide a device compliance option for remote clients. - The VPN client can integrate with Windows Information Protection (WIP) policy to provide additional security. [Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip), previously known as Enterprise Data Protection. -- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) +- New VPNv2 configuration service provider (CSP) adds configuration settings. For details, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607) - Microsoft Intune: *VPN Profile (Windows 10 Desktop and Mobile and later)* policy template includes support for native VPN plug-ins. @@ -103,7 +103,7 @@ Several new features and management options have been added to Windows Defender - [Windows Defender Offline in Windows 10](/windows/threat-protection/windows-defender-antivirus/windows-defender-offline) can be run directly from within Windows, without having to create bootable media. - [Use PowerShell cmdlets for Windows Defender](/windows/threat-protection/windows-defender-antivirus/use-powershell-cmdlets-windows-defender-antivirus) to configure options and run scans. - [Enable the Block at First Sight feature in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) to leverage the Windows Defender cloud for near-instant protection against new malware. -- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more informaiton about threat detections and removal. +- [Configure enhanced notifications for Windows Defender in Windows 10](/windows/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus) to see more information about threat detections and removal. - [Run a Windows Defender scan from the command line](/windows/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus). - [Detect and block Potentially Unwanted Applications with Windows Defender](/windows/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) during download and install times. @@ -125,7 +125,7 @@ Enterprise administrators can add and remove pinned apps from the taskbar. Users ### Mobile device management and configuration service providers (CSPs) -Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/en-us/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). +Numerous settings have been added to the Windows 10 CSPs to expand MDM capabilities for managing devices. To learn more about the specific changes in MDM policies for Windows 10, version 1607, see [What's new in MDM enrollment and management](https://msdn.microsoft.com/library/windows/hardware/mt299056%28v=vs.85%29.aspx#whatsnew_1607). ### Shared PC mode @@ -151,4 +151,4 @@ With the release of Windows 10, version 1607, UE-V is included with the Windows ## Learn more -- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info) +- [Windows 10 release information](https://technet.microsoft.com/windows/release-info) diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md index a363f852cd..08f3d814ab 100644 --- a/windows/whats-new/whats-new-windows-10-version-1703.md +++ b/windows/whats-new/whats-new-windows-10-version-1703.md @@ -18,7 +18,7 @@ Below is a list of some of what's new in Information Technology (IT) pro feature For more general info about Windows 10 features, see [Features available only on Windows 10](https://www.microsoft.com/windows/features). For info about previous versions of Windows 10, see [What's New in Windows 10](index.md). Also see this blog post: [What’s new for IT pros in the Windows 10 Creators Update](https://blogs.technet.microsoft.com/windowsitpro/2017/04/05/whats-new-for-it-pros-in-the-windows-10-creators-update/). >[!NOTE] ->Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). +>Windows 10, version 1703 contains all fixes included in previous cumulative updates to Windows 10, version 1607. For info about each version, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info). For a list of removed features, see [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update). ## Configuration diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md index a58a02c87b..aa01ea5caa 100644 --- a/windows/whats-new/whats-new-windows-10-version-1709.md +++ b/windows/whats-new/whats-new-windows-10-version-1709.md @@ -30,7 +30,7 @@ A brief description of new or updated features in this version of Windows 10 is Windows Autopilot is a zero touch experience for deploying Windows 10 devices. Configuration profiles can now be applied at the hardware vendor with devices being shipped directly to employees. For more information, see [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-10-auto-pilot). -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/en-us/microsoft-store/add-profile-to-devices). +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). ### Windows 10 Subscription Activation @@ -45,7 +45,7 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett ### Windows Update for Business (WUfB) -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/en-us/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). ### Windows Insider Program for Business @@ -72,7 +72,7 @@ This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.wind ### Kiosk Configuration -The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). +The AssignedAccess CSP has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For more information, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps). ## Security @@ -80,7 +80,7 @@ The AssignedAccess CSP has been expanded to make it easy for administrators to c >[!NOTE] >Windows security features have been rebranded as Windows Defender security features, including Windows Defender Device Guard, Windows Defender Credential Guard, and Windows Defender Firewall. -**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10). +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). ### Windows Defender ATP @@ -96,7 +96,7 @@ Window Defender Exploit Guard provides intrusion prevention capabilities to redu ### Windows Defender Device Guard -Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide). +Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). ### Windows Information Protection @@ -104,7 +104,7 @@ Windows Information Protection is now designed to work with Microsoft Office and ### Windows Hello -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification). +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. More details about this feature will be available soon. For general information, see [Windows Hello for Business](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-identity-verification). ### BitLocker @@ -112,10 +112,10 @@ The minimum PIN length is being changed from 6 to 4, with a default of 6. For mo ### Windows security baselines -Microsoft has released new [Windows security baselines](https://docs.microsoft.com/en-us/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/en-us/windows/device-security/security-compliance-toolkit-10). +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). ### SMBLoris vulnerability -An issue, known as “SMBLoris?, which could result in denial of service, has been addressed. +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. ## Windows Analytics diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md index df2abc4ea4..622cbcdd98 100644 --- a/windows/whats-new/whats-new-windows-10-version-1803.md +++ b/windows/whats-new/whats-new-windows-10-version-1803.md @@ -136,7 +136,7 @@ Portions of the work done during the offline phases of a Windows update have bee Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. -For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/en-us/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) ### OS uninstall period @@ -144,13 +144,13 @@ The OS uninstall period is a length of time that users are given when they can o ### Windows Hello for Business -[Windows Hello](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. - Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). - Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. - You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](https://docs.microsoft.com/en-us/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. - It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) @@ -173,13 +173,13 @@ The new [security baseline for Windows 10 version 1803](https://docs.microsoft.c ### Windows Defender Antivirus -Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). +Windows Defender Antivirus now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). ### Windows Defender Exploit Guard Windows Defender Exploit Guard enhanced attack surface area reduction, extended support to Microsoft Office applications, and now supports Windows Server. [Virtualization-based Security](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/Windows-Defender-System-Guard-Making-a-leap-forward-in-platform/m-p/167303) (VBS) and Hypervisor-protected code integrity (HVCI) can now be enabled across the Windows 10 ecosystem. These Exploit Guard features can now be enabled through the Windows Defender Security Center. -For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +For more information, see [Reduce attack surfaces with Windows Defender Exploit Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) ### Windows Defender ATP @@ -187,17 +187,17 @@ For more information, see [Reduce attack surfaces with Windows Defender Exploit - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) -- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) ### Windows Defender Application Guard -Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) +Windows Defender Application Guard has added support for Edge. For more information, see [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard#software-requirements) ### Windows Defender Device Guard -Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide). +Configurable code integrity is being rebranded as Windows Defender Application Control. This is to help distinguish it as a standalone feature to control execution of applications. For more information about Device Guard, see Windows [Defender Device Guard deployment guide](https://docs.microsoft.com/windows/device-security/device-guard/device-guard-deployment-guide). ### Windows Information Protection @@ -215,11 +215,11 @@ Upgrade Readiness has added the ability to assess Spectre and Meltdown protectio ### Update Compliance -Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](https://docs.microsoft.com/en-us/windows/deployment/update/update-compliance-delivery-optimization) +Update Compliance has added Delivery Optimization to assess the bandwidth consumption of Windows Updates. For more information, see [Delivery Optimization in Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-delivery-optimization) ### Device Health -Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-using) +Device Health’s new App Reliability reports enable you to see where app updates or configuration changes may be needed to reduce crashes. The Login Health reports reveal adoption, success rates, and errors for Windows Hello and for passwords— for a smooth migration to the password-less future. For more information, see [Using Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-using) ## Microsoft Edge @@ -234,4 +234,4 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
    [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
    [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709. -[How to take a screenshot on pc without any app](https://rahulit.com/how-to-take-a-screenshot-on-a-dell-laptop/) + diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md new file mode 100644 index 0000000000..28425c1330 --- /dev/null +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -0,0 +1,241 @@ +--- +title: What's new in Windows 10, version 1809 +description: New and updated features in Windows 10, version 1809 +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.date: 12/31/2018 +ms.localizationpriority: high +--- + +# What's new in Windows 10, version 1809 for IT Pros + +>Applies To: Windows 10, version 1809, also known as Windows 10 October 2018 Update + +In this article we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803. + +The following 3-minute video summarizes some of the new features that are available for IT Pros in this release. + +  + +> [!video https://www.youtube.com/embed/hAva4B-wsVA] + +## Deployment + +### Windows Autopilot self-deploying mode + +Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. + +This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). + +### SetupDiag + +[SetupDiag](/windows/deployment/upgrade/setupdiag.md) version 1.4 is released. SetupDiag is a standalone diagnostic tool that can be used to troubleshoot issues when a Windows 10 upgrade is unsuccessful. + +## Security + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings") + +With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + +When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +
    HKLM\SOFTWARE\Microsoft\Security Center\Feature DisableAvCheck (DWORD) = 1
    + +### BitLocker + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +### Windows Defender Application Guard Improvements + +Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings. + +Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security. For more information, see [Windows Defender Application Guard inside Windows Security App](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709). + +To try this: + +1. Go to**Windows Security** and select **App & browser control**. +2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device. +3. Select **Change Application Guard** settings. +4. Configure or check Application Guard settings. + +See the following example: + +![Security at a glance](images/1_AppBrowser.png "app and browser control") +![Isolated browser](images/2_InstallWDAG.png "isolated browsing") +![change WDAG settings](images/3_ChangeSettings.png "change settings") +![view WDAG settings](images/4_ViewSettings.jpg "view settings") + +### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](images/defender.png "Windows Security Center") + +### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes + +You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +### Microsoft Edge Group Policies + +We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies). + +### Windows Defender Credential Guard is supported by default on 10S devices that are AAD Joined + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions. + +### Windows 10 Pro S Mode requires a network connection + +A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE). + +### Windows Defender ATP + +[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics: + +- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
    +Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + +- [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
    + With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
    +Windows Defender ATP adds support for this scenario by providing MSSP integration. +The integration will allow MSSPs to take the following actions: +Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. + +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
    +Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. + +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
    +Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. + +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
    +Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. + +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection)
    +Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor + +## Kiosk setup experience + +We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts. + +To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. + +![set up a kiosk](images/kiosk-mode.png "set up a kiosk") + +Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types. + +1. **Digital / Interactive signage** that displays a specific website full-screen and runs InPrivate mode. +2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity. + +![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access") + +Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. + +>[!NOTE] +>The following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings. + +**Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows. + +![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access") + +**Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books. + +![normal mode](images/Normal_inFrame.png "normal mode") + +Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](images/regeditor.png "Registry editor dropdown") + +## Faster sign-in to a Windows 10 shared pc + +Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809. +2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](images/fastsignin.png "fast sign-in") + +## Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + + ![Web sign-in](images/websignin.png "web sign-in") + +## Your Phone app + +Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future. + +For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. + +![your phone](images/your-phone.png "your phone") + +The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. + +## Wireless projection experience + +One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes: + +* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible +* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly +* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often. + +![wireless projection banner](images/beaming.png "wireless projection banner") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016") \ No newline at end of file diff --git a/windows/yw45mjxz.3sx.json b/windows/yw45mjxz.3sx.json deleted file mode 100644 index 4b4ae6ca01..0000000000 Binary files a/windows/yw45mjxz.3sx.json and /dev/null differ